CVE-2018-25179
Published: 06 March 2026
Summary
CVE-2018-25179 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2018-25179 is an SQL injection vulnerability (CWE-89) affecting Gumbo CMS version 0.99. The flaw exists in the settings endpoint, where the language parameter fails to properly sanitize user input, allowing attackers to inject and execute arbitrary SQL queries.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending POST requests containing crafted SQL payloads in the language parameter. Successful exploitation enables extraction of sensitive database information, including usernames, databases, and version details. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact with low integrity impact and no availability impact.
Advisories and proof-of-concept exploits are documented in references including Exploit-DB at https://www.exploit-db.com/exploits/45837 and VulnCheck at https://www.vulncheck.com/advisories/gumbo-cms-sql-injection-via-settings-endpoint.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21634
Vulnerability details
Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. Attackers can send POST requests to the settings endpoint with crafted SQL payloads in the…
more
language parameter to extract sensitive database information including usernames, databases, and version details.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (Gumbo CMS settings endpoint) enables exploitation of public-facing app (T1190) and extraction of sensitive database information including usernames (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user inputs like the language parameter to prevent SQL injection attacks by ensuring malicious SQL payloads are rejected or sanitized.
SI-2 mandates identification, reporting, and correction of flaws such as this SQL injection vulnerability in the settings endpoint through patching.
RA-5 employs vulnerability scanning to identify SQL injection flaws like CVE-2018-25179 in Gumbo CMS for subsequent remediation.