A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
The username and password parameters transmitted during login are not properly validated or sanitized before being passed to the SQL query. An attacker can inject malicious SQL code (SQL injection) directly into these fields, causing the database to interpret the query in a way that bypasses password verification and user identity verification. No credentials are required nor prior access to the system — the attack can be performed remotely over the network without interaction from the victim.
Successful exploitation of the vulnerability gives the attacker full administrative access to the application, including the ability to manipulate public website content (HTML/DOM manipulation) and control all functions of the administration panel.
The Fikir Odalari AdminPando application must be immediately updated to the version released after 2026-01-26, which eliminates the described vulnerability. Details are available in the vendor references and in the published researcher report. Until the patch is implemented, it is recommended to restrict access to the login panel exclusively to trusted IP addresses at the firewall level.
Fikir Odalari AdminPando version 1.0.1 prior to the update from 2026-01-26.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HOmran Fikir Odalari Adminpando
APPOmran≤ 1.0.1