Simpkh CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Simpkh CVE published 2026-05-30

CVE-2018-25410

SIM-PKH 2.4.1 contains an authenticated SQL injection vulnerability in the administrative media management interface. An attacker with valid credentials can manipulate the 'id' parameter in GET requests to /admin/media.php to inject arbitrary SQL statements, including UNION-based queries that extract database metadata such as usernames, database names, and version information. The vulnerability requires l [truncated]

HIGH Simpkh CVE published 2026-05-30

CVE-2018-25409

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.