PatchSiren cyber security CVE debrief
CVE-2018-25403 Open ISES CVE debrief
CVE-2018-25403 documents an SQL injection vulnerability in The Open ISES Project version 3.30A. The vulnerability exists in the city_graph.php endpoint, where the p1 parameter fails to properly sanitize user input, allowing unauthenticated remote attackers to inject and execute arbitrary SQL queries. Successful exploitation enables extraction of sensitive database information including schema names and other data. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and no user interaction, with high confidentiality impact and low integrity impact. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Command). The CVE record was published on May 29, 2026, and modified the same day. The vulnerability status is currently marked as Deferred in the NVD. Multiple source references are available including the project homepage, download location, an Exploit-DB entry, and a VulnCheck advisory.
- Vendor
- Open ISES
- Product
- Open ISES Project
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running The Open ISES Project 3.30A; security teams responsible for web application security; database administrators managing affected deployments; incident response teams monitoring for data exfiltration attempts
Technical summary
Unauthenticated SQL injection vulnerability in The Open ISES Project 3.30A city_graph.php via p1 parameter. CVSS 4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N. Network-exploitable with no privileges required. High confidentiality impact enables database schema and data extraction.
Defensive priority
HIGH
Recommended defensive actions
- Review and apply any available patches or updates for The Open ISES Project
- Implement input validation and parameterized queries for the p1 parameter in city_graph.php
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the affected endpoint
- Conduct database activity monitoring for anomalous query patterns
- Restrict network access to the application where possible
- Review database user permissions to enforce principle of least privilege
Evidence notes
Vulnerability confirmed through official CVE record and NVD entry. Technical details sourced from VulnCheck advisory and Exploit-DB reference. CVSS 4.0 scoring applied. Vendor identification marked as low confidence requiring review.
Official resources
Public disclosure via CVE.org and NVD with supporting technical references from VulnCheck and Exploit-DB.