PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25394 Kados CVE debrief

CVE-2018-25394 documents an unauthenticated SQL injection vulnerability in Kados R10 GreenBee, a project management application. The flaw exists in the `release_id` parameter of `boards_buttons/update_release.php`, where user-supplied input is concatenated directly into SQL statements without sanitization. Attackers can exploit this via crafted GET requests using UNION-based payloads to extract sensitive database information including current user, database name, and DBMS version. The vulnerability was published to CVE on 2026-05-29 with a CVSS 4.0 score of 8.8 (HIGH). The vendor attribution is marked as low confidence based on reference domain analysis, with Exploit-DB identified as a candidate source. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Kados
Product
Kados R10 GreenBee
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running Kados R10 GreenBee project management software; security teams responsible for web application security; database administrators managing backend systems supporting Kados deployments; incident response teams monitoring for SQL injection attack patterns

Technical summary

The vulnerability stems from improper neutralization of special elements used in an SQL command (CWE-89). The `release_id` parameter in `boards_buttons/update_release.php` accepts user input that is directly concatenated into SQL queries without sanitization or parameterization. This allows attackers to inject malicious SQL code through GET requests. A successful attack can extract database metadata including current database user, database name, and DBMS version through UNION-based injection techniques. The attack requires no authentication and can be executed remotely over the network.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries to the release_id parameter in boards_buttons/update_release.php
  • Implement prepared statements to prevent SQL injection in all database interactions
  • Conduct code review of similar parameter handling throughout the Kados application
  • Monitor web application logs for suspicious UNION-based SQL injection patterns
  • Restrict database account privileges to limit impact of successful injection attacks
  • Consider web application firewall (WAF) rules to detect and block SQL injection attempts

Evidence notes

Vulnerability confirmed via NVD with CVSS 4.0 vector. Exploit-DB reference 45617 provides technical details. VulnCheck advisory confirms SQL injection via release_id parameter in update_release.php. SourceForge and kados.info references provide product context.

Official resources

2026-05-29