CVE-2025-10878
Published: 03 February 2026
Summary
CVE-2025-10878 is a critical-severity SQL Injection (CWE-89) vulnerability in Omran Fikir Odalari Adminpando. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-10878 is a SQL injection vulnerability (CWE-89) affecting the login functionality of Fikir Odalari AdminPando version 1.0.1 prior to the update dated 2026-01-26. The username and password parameters in the login process are directly vulnerable to SQL injection attacks, which can be used to bypass authentication mechanisms entirely.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, as reflected in its maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation grants full administrative access to the AdminPando application, enabling attackers to manipulate public-facing website content via HTML/DOM changes.
Mitigation details and resources, including a proof-of-concept, are available in the referenced advisories: the GitHub repository at https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi and blog posts at https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/. Affected installations should be updated to the version released on or after 2026-01-26.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206676
Vulnerability details
A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to…
more
the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the login functionality of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and administrative access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs such as username and password parameters, directly preventing SQL injection exploitation in the login functionality.
SI-2 mandates timely flaw remediation, including applying the vendor update released on or after 2026-01-26 to eliminate the SQL injection vulnerability.
SC-7 boundary protection enables web application firewalls or similar mechanisms to inspect and block SQL injection payloads targeting the login endpoint.