SQL Injection Vulnerability in No-Cms by GoFrendi Asgard
CVE-2018-25431

7.1HIGH

Key Information:

Vendor

Gofrendiasgard

Status
No-cms
Vendor
CVE Published:
1 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2018-25431?

No-Cms 1.0 has a significant SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint. This flaw allows authenticated attackers to manipulate database queries by sending crafted POST requests to the specific endpoint. By injecting malicious SQL code into the order_by[0] parameter, attackers can potentially gain unauthorized access to sensitive information stored in the database.

Affected Version(s)

No-CMS 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25431 - Proof of Concept

References

https://www.exploit-db.com/exploits/45903
exploit
https://github.com/goFrendiAsgard/No-CMS
product
https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master
product

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Loading Kura Kura
.