CVE-2018-25176

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0008 22.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25176 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection through validation and sanitization of the key parameter in the search endpoint and arbitrary file uploads via photo functionality by ensuring inputs do not contain malicious code or invalid content.

SI-2 Flaw Remediation good match

prevent

Remediates the specific SQL injection and arbitrary file upload flaws in Alive Parish 2.0.4 by identifying, reporting, and correcting the vulnerabilities to eliminate exploitation vectors.

SI-3 Malicious Code Protection partial match

preventdetect

Mitigates remote code execution from arbitrary file uploads to the images/uploaded directory by deploying mechanisms to detect and eradicate malicious code at system entry points.

NVD Description

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload…

functionality to the images/uploaded directory for remote code execution.

Deeper analysisAI

CVE-2018-25176 affects Alive Parish version 2.0.4, a software application vulnerable to an SQL injection flaw and arbitrary file upload. The SQL injection occurs through the key parameter in the search endpoint, enabling unauthenticated attackers to inject malicious code and execute arbitrary SQL queries. Additionally, the person photo upload functionality allows attackers to upload arbitrary files to the images/uploaded directory, potentially leading to remote code execution.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful SQL injection can result in high confidentiality impacts, such as data extraction, while the file upload enables integrity violations and remote code execution, allowing attackers to achieve persistent access or further compromise the system.

Advisories and references detail the vulnerabilities, including a proof-of-concept exploit available at https://www.exploit-db.com/exploits/45840 and further analysis at https://www.vulncheck.com/advisories/alive-parish-sql-injection-and-arbitrary-file-upload. No specific patches or mitigations are outlined in the provided information.

Details

CWE(s): CWE-352

CVEs Like This One

CVE-2026-28495Shared CWE-352

CVE-2025-22343Shared CWE-352

CVE-2025-30564Shared CWE-352

CVE-2025-26543Shared CWE-352

CVE-2025-25907Shared CWE-352

CVE-2025-31616Shared CWE-352

CVE-2025-31449Shared CWE-352

CVE-2026-5791Shared CWE-352

CVE-2025-23990Shared CWE-352

CVE-2025-30586Shared CWE-352

References

https://www.exploit-db.com/exploits/45840
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/alive-parish-sql-injection-and-arbitrary-file-upload
disclosure@vulncheck.com