{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25578", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T15:25:19.390Z", "datePublished": "2026-03-21T15:30:37.160Z", "dateUpdated": "2026-03-26T16:17:10.981Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T16:17:10.981Z"}, "title": "phpTransformer 2016.9 SQL Injection via GeneratePDF.php", "datePublic": "2019-01-18T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')", "type": "CWE"}]}], "affected": [{"vendor": "Phptransformer", "product": "phpTransformer", "versions": [{"status": "affected", "version": "2016.9"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.</p>"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/46191", "name": "ExploitDB-46191", "tags": ["exploit"]}, {"url": "http://phptransformer.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/phptransformer-sql-injection-via-generatepdf-php", "name": "VulnCheck Advisory: phpTransformer 2016.9 SQL Injection via GeneratePDF.php", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Ihsan Sencan", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:36:53.763977Z", "id": "CVE-2019-25578", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:37:02.109Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25578", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:36:53.763977Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:36:58.004Z"}}], "cna": {"title": "phpTransformer 2016.9 SQL Injection via GeneratePDF.php", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ihsan Sencan"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Phptransformer", "product": "phpTransformer", "versions": [{"status": "affected", "version": "2016.9"}], "defaultStatus": "unaffected"}], "datePublic": "2019-01-18T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46191", "name": "ExploitDB-46191", "tags": ["exploit"]}, {"url": "http://phptransformer.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/phptransformer-sql-injection-via-generatepdf-php", "name": "VulnCheck Advisory: phpTransformer 2016.9 SQL Injection via GeneratePDF.php", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.", "supportingMedia": [{"type": "text/html", "value": "<p>phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T16:17:10.981Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25578", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:17:10.981Z", "dateReserved": "2026-03-21T15:25:19.390Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-21T15:30:37.160Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codnloc:phptransformer:2016.9:*:*:*:*:*:*:*", "matchCriteriaId": "E3ADFE38-E14F-48B6-834C-2BB97B85CD32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries."}, {"lang": "es", "value": "phpTransformer 2016.9 contiene una vulnerabilidad de inyecci\u00f3n SQL que permite a atacantes remotos ejecutar consultas SQL arbitrarias mediante la inyecci\u00f3n de c\u00f3digo malicioso a trav\u00e9s del par\u00e1metro idnews. Los atacantes pueden enviar solicitudes GET manipuladas a GeneratePDF.php con cargas \u00fatiles SQL en el par\u00e1metro idnews para extraer informaci\u00f3n sensible de la base de datos o manipular consultas."}], "id": "CVE-2019-25578", "lastModified": "2026-03-26T17:16:24.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-21T16:16:01.730", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://phptransformer.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46191"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/phptransformer-sql-injection-via-generatepdf-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2016.9"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "phpTransformer", "source": "cna", "vendor": "Phptransformer"}, "product": "phptransformer", "vendor": "phptransformer"}], "analysis": {"en": {"generated_at": "2026-03-23T18:52:43.039276+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s official website or repository for an updated release or patch that addresses the SQL injection flaw.", "If no patch is available, restrict web access to GeneratePDF.php or disable the idnews parameter from external input to limit exploitation opportunities.", "Monitor web server logs for suspicious GET requests to GeneratePDF.php and consider implementing a web application firewall rule to block common SQL injection payload patterns."], "summary": {"action": "Assess Impact", "impact": "Remote SQL Injection leading to data exposure and manipulation"}, "threat_synthesis": {"affected_systems": "The bug affects phpTransformer version 2016.9, the content management system published under the vendor Phptransformer. Servers running this specific release are at risk. No later versions or patches are cited in the advisory, so any instance of this exact version is potentially exposed.", "description_and_impact": "An SQL injection flaw in phpTransformer 2016.9 allows attackers to embed arbitrary SQL via the idnews query parameter in GeneratePDF.php. The vulnerability can lead to reading, modifying, or deleting database content, thereby compromising confidentiality and integrity of the application data.", "risk_and_exploitability": "The CVSS base score of 8.8 classifies the issue as high severity, while the EPSS score of less than 1% suggests a modest likelihood of large\u2011scale exploitation. The flaw has not been listed in the CISA KEV catalog. An attacker only needs to craft an HTTP GET request to GeneratePDF.php containing a malicious idnews value to trigger the injection; this straightforward remote access path underscores the seriousness of the risk."}}}}, "created": "2026-03-23T09:49:02.719936+00:00", "updated": "2026-03-25T14:47:05.184163+00:00", "vendors": ["phptransformer", "phptransformer$PRODUCT$phptransformer"]}