Cyber Resilience

CVE-2025-10878

CriticalPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0060 44.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-10878 is a critical-severity SQL Injection (CWE-89) vulnerability in Omran Fikir Odalari Adminpando. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10878 is a SQL injection vulnerability (CWE-89) affecting the login functionality of Fikir Odalari AdminPando version 1.0.1 prior to the update dated 2026-01-26. The username and password parameters in the login process are directly vulnerable to SQL injection attacks, which can be used to bypass authentication mechanisms entirely.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, as reflected in its maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation grants full administrative access to the AdminPando application, enabling attackers to manipulate public-facing website content via HTML/DOM changes.

Mitigation details and resources, including a proof-of-concept, are available in the referenced advisories: the GitHub repository at https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi and blog posts at https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/. Affected installations should be updated to the version released on or after 2026-01-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to…

more

the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in the login functionality of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

omran
fikir odalari adminpando
≤ 1.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs such as username and password parameters, directly preventing SQL injection exploitation in the login functionality.

prevent

SI-2 mandates timely flaw remediation, including applying the vendor update released on or after 2026-01-26 to eliminate the SQL injection vulnerability.

prevent

SC-7 boundary protection enables web application firewalls or similar mechanisms to inspect and block SQL injection payloads targeting the login endpoint.

References