| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Exploit for SQL Injection in Vishalmathur Cloudclassroom-Php_Project | 11 Jan 202618:05 | – | githubexploit | |
| Exploit for SQL Injection in Vishalmathur Cloudclassroom-Php_Project | 18 Jun 202518:19 | – | githubexploit | |
| CVE-2025-26198 | 10 Jun 202506:56 | – | circl | |
| CloudClassroom-PHP-Project 安全漏洞 | 18 Jun 202500:00 | – | cnnvd | |
| CVE-2025-26198 | 18 Jun 202500:00 | – | cve | |
| CVE-2025-26198 | 18 Jun 202500:00 | – | cvelist | |
| EUVD-2025-18659 | 3 Oct 202520:07 | – | euvd | |
| CVE-2025-26198 | 18 Jun 202518:15 | – | nvd | |
| CVE-2025-26198 | 18 Jun 202518:15 | – | osv | |
| PT-2025-26183 · Unknown · Cloudclassroom-Php Project | 18 Jun 202500:00 | – | ptsecurity |
# 🛡️ CVE Disclosure: CVE-2025-26198 — SQL Injection in CloudClassroom-PHP-Project
**Disclosure Date:** 18 June 2025
**CVE ID:** CVE-2025-26198
**Severity:** CRITICAL (CVSS 9.8)
---
## 🧩 Summary
A critical SQL Injection vulnerability exists in `CloudClassroom-PHP-Project v1.0`, specifically within the `loginlinkadmin.php` endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full administrative access.
This issue has been assigned the identifier **CVE-2025-26198**. At the time of public disclosure, **no official patch** was available.
---
## 📦 Affected Product
- **Vendor:** Independent (mathurvishal)
- **Project:** [CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
- **Version:** v1.0
- **File:** `loginlinkadmin.php`
- **Vulnerable Endpoint:**
`http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php`
---
## 🔬 Vulnerability Details
The admin login mechanism uses unsanitized input directly in SQL queries without any input validation or prepared statements:
```php
$query = "SELECT * FROM admin WHERE username='$username' AND password='$password'";
```
This allows for injection payloads such as:
```sql
Username: ' OR '1'='1
Password: [any value]
```
This bypasses authentication logic by evaluating to a true condition, thereby granting access to the admin dashboard.
---
## 📌 CWE Classification
| CWE ID | Title |
|--------|-----------------------------------------------------------------------|
| [CWE-89](https://cwe.mitre.org/data/definitions/89.html) | Improper Neutralization of Special Elements used in an SQL Command |
---
## 📊 CVSS v3.1 Score
| Score | Severity | Vector String |
|-------|----------|---------------------------------------------|
| 9.8 | CRITICAL | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
---
## 💥 Impact
A successful exploitation could result in:
- ✅ Full **authentication bypass**
- 🔓 **Unauthorized access** to privileged admin features
- 🛠️ Potential **data leakage or manipulation** using `UNION`-based SQL injection
- ⚠️ Full **compromise of the backend database**
---
## 🧪 Proof of Concept (PoC)
### 1. Clone the Repository
```bash
git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git
```
### 2. Host Locally
Use XAMPP/LAMP to deploy the project and navigate to:
```
http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php
```
### 3. Payload Injection
Enter the following credentials in the login form:
- **Username:** `' OR '1'='1`
- **Password:** `[any value]`
You will be logged in as the first admin user, verifying successful SQL injection.
---
## 🔐 Recommendations
- ✅ Replace dynamic SQL queries with **prepared statements** (`mysqli_prepare()` or **PDO**).
- 🔍 Perform **input validation and sanitization** for all user inputs.
- 🧱 Deploy a **Web Application Firewall (WAF)** to block known SQL injection patterns.
- 🛡️ Conduct **regular code audits** and **penetration testing** for early detection.
---
## 📆 Timeline
| Event | Date |
|--------------------------|----------------|
| Vulnerability Discovered | 14 April 2025 |
| Public Disclosure | 18 June 2025 |
| Patch Available | ❌ Not available as of disclosure |
---
## 🙋♂️ Credits
This vulnerability was discovered and responsibly disclosed by:
**Tansique Dasari**
🔗 [GitHub](https://github.com/phantomtrace)
✉️ [[email protected]](mailto:[email protected])
---
## 🔗 References
- [OWASP - SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
- [PortSwigger - SQL Injection](https://portswigger.net/web-security/sql-injection)
- [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
- [CVE-2025-26198 on CVE.org](https://cve.org/CVERecord?id=CVE-2025-26198)
---
> 💬 *This advisory is published independently due to lack of vendor response.*Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation