SQL Injection Vulnerability in Paroiciel 11.20 by Paroiciel
CVE-2018-25428

8.8HIGH

Key Information:

Vendor

Paroiciel

Status
Paroiciel
Vendor
CVE Published:
1 June 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2018-25428?

Paroiciel 11.20 is vulnerable to an SQL injection that permits unauthenticated attackers to run arbitrary SQL queries by exploiting the tRecIdListe parameter. By sending specially crafted GET requests to the trec.php endpoint, attackers can inject malicious SQL code, potentially allowing them to extract sensitive database information such as table and column names. This vulnerability poses a significant risk, enabling unauthorized access to crucial data within the system.

Affected Version(s)

Paroiciel 11.20

References

https://www.exploit-db.com/exploits/45810
exploit
https://www.paroiciel.com/
product
https://datapacket.dl.sourceforge.net/project/paroiciel/v...
product

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ihsan Sencan
.