CRITICAL🇵🇱 Wersja polska

CVE-2025-10878

CVSS 10.0v3.1pub. 2026-02-03upd. 2026-02-12

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

🤖 AI Analysis
How it works

The username and password parameters transmitted during login are not properly validated or sanitized before being passed to the SQL query. An attacker can inject malicious SQL code (SQL injection) directly into these fields, causing the database to interpret the query in a way that bypasses password verification and user identity verification. No credentials are required nor prior access to the system — the attack can be performed remotely over the network without interaction from the victim.

Impact

Successful exploitation of the vulnerability gives the attacker full administrative access to the application, including the ability to manipulate public website content (HTML/DOM manipulation) and control all functions of the administration panel.

Mitigation & patch

The Fikir Odalari AdminPando application must be immediately updated to the version released after 2026-01-26, which eliminates the described vulnerability. Details are available in the vendor references and in the published researcher report. Until the patch is implemented, it is recommended to restrict access to the login panel exclusively to trusted IP addresses at the firewall level.

Who is affected

Fikir Odalari AdminPando version 1.0.1 prior to the update from 2026-01-26.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Omran Fikir Odalari Adminpando

    APP
    Omran
    ≤ 1.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiAuth Bypass
CWE
References