PatchSiren cyber security CVE debrief
CVE-2018-25402 Open ISES CVE debrief
CVE-2018-25402 is a high-severity SQL injection vulnerability in The Open ISES Project version 3.30A, an open-source emergency services information system. The vulnerability resides in the `inc_types_graph.php` endpoint, where the `p1` parameter fails to properly sanitize user input, allowing unauthenticated remote attackers to inject and execute arbitrary SQL queries via crafted GET requests. Successful exploitation enables extraction of sensitive database information including schema names and other data. The vulnerability was published to the NVD on May 29, 2026, with a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N, reflecting network accessibility, low attack complexity, no privileges required, and high confidentiality impact. The vulnerability is classified under CWE-89 (SQL Injection). No known exploitation in ransomware campaigns has been documented, and the vulnerability does not appear on the CISA KEV catalog.
- Vendor
- Open ISES
- Product
- Open ISES Project
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating The Open ISES Project 3.30A for emergency services information management; security teams responsible for protecting public safety infrastructure; developers maintaining legacy PHP applications with database connectivity.
Technical summary
The Open ISES Project 3.30A contains an unauthenticated SQL injection vulnerability in the `inc_types_graph.php` script. The `p1` parameter accepts user-supplied input without adequate sanitization, allowing attackers to manipulate backend SQL queries. This is a classic first-order SQL injection where malicious payloads are submitted directly via HTTP GET requests. The vulnerability enables unauthorized read access to database contents including schema information, with potential for further database compromise depending on database user privileges.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the p1 parameter in inc_types_graph.php
- Implement prepared statements for all database interactions in the application
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the inc_types_graph.php endpoint
- Restrict network access to the application management interface where possible
- Monitor application logs for anomalous GET requests to inc_types_graph.php containing SQL keywords or special characters
- Upgrade to a patched version of The Open ISES Project when available, or consider alternative maintained emergency services platforms
Evidence notes
Vulnerability confirmed through official NVD record with CVSS 4.0 scoring. The `p1` parameter in `inc_types_graph.php` is the confirmed injection point. Vendor attribution is marked as low confidence in source data due to 'reference_domain_weak' canonical source classification.
Official resources
The vulnerability was disclosed via VulnCheck and published to the NVD on May 29, 2026. The NVD entry status is currently 'Deferred'. Multiple reference sources are available including the vendor's SourceForge project page, an Exploit-DB Po