SQL Injection Vulnerability in SIM-PKH by SourceForge
CVE-2018-25410

7.1HIGH

Key Information:

Vendor: Simpkh
Status: Sim-pkh
Vendor: CVE Published:; 30 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-25410?

The SIM-PKH 2.4.1 version is vulnerable to an SQL injection flaw that allows authenticated users to execute arbitrary SQL commands via the 'id' parameter. By crafting GET requests to /admin/media.php with specific parameters (module=pengurus and act=editpengurus), attackers can inject SQL UNION statements to extract sensitive information from the database, including usernames, database configurations, and version details.

Affected Version(s)

SIM-PKH 2.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25410 - Proof of Concept

References

https://www.exploit-db.com/exploits/45664

exploit

https://simpkh.sourceforge.io/

product

https://sourceforge.net/projects/simpkh/files/latest/down...

product

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 30, 2026
👾
Exploit known to exist
May 30, 2026
Vulnerability published
May 30, 2026
Vulnerability Reserved
May 30, 2026

Credit

Ihsan Sencan

CVE-2018-25410 Data

JSON

Simpkh

Badges

What is CVE-2018-25410?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit