PatchSiren cyber security CVE debrief
CVE-2018-25401 Open ISES CVE debrief
CVE-2018-25401 documents an unauthenticated SQL injection vulnerability in The Open ISES Project version 3.30A. The flaw resides in the `sever_graph.php` endpoint, where the `p1` parameter fails to properly sanitize user-supplied input before incorporating it into SQL queries. Attackers can exploit this weakness via crafted GET requests to execute arbitrary SQL commands, potentially extracting sensitive database information including schema names and other data. The vulnerability carries a HIGH severity CVSS score of 8.8, reflecting significant risk due to network accessibility, low attack complexity, and no required privileges or user interaction. The CVE was published on 2026-05-29 and subsequently modified the same day. The vulnerability has been assigned CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Open ISES
- Product
- Open ISES Project
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running The Open ISES Project 3.30A; security teams responsible for web application security; database administrators managing backend systems for emergency services or incident management platforms; penetration testers assessing PHP-based emergency management applications
Technical summary
The vulnerability exists in `sever_graph.php` where the `p1` parameter is directly interpolated into SQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL payloads through GET requests, enabling arbitrary query execution against the backend database. The attack requires no authentication and can be conducted remotely with low complexity. Successful exploitation may result in unauthorized data extraction, including database schema information and sensitive application data. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, no user interaction, with high confidentiality impact and low integrity impact.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the p1 parameter in sever_graph.php
- Implement prepared statements to prevent SQL injection in database interactions
- Conduct code review of all database query constructions in the application
- Deploy Web Application Firewall rules to detect and block SQL injection attempts against sever_graph.php
- Remove or restrict access to sever_graph.php if the functionality is not required
- Monitor access logs for suspicious GET requests to sever_graph.php containing SQL keywords or unusual p1 parameter values
- Upgrade to a patched version of The Open ISES Project when available, or consider alternative maintained solutions given the project's status on SourceForge
Evidence notes
Vulnerability confirmed through official CVE record and NVD entry. Advisory documentation available from VulnCheck. Exploit technique documented in Exploit-DB entry. Source references include project homepage and download location on SourceForge.
Official resources
The Open ISES Project 3.30A contains an unauthenticated SQL injection vulnerability in the `sever_graph.php` endpoint via the `p1` parameter.