Cyber Resilience

CVE-2025-26186

High

Published: 15 July 2025

Published
15 July 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 75.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26186 is a high-severity SQL Injection (CWE-89) vulnerability in Os4Ed Opensis. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26186 is a SQL injection vulnerability (CWE-89) affecting openSIS version 9.1, specifically in the Ajax.php component. A remote attacker can exploit the id parameter to execute arbitrary code. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The attack requires network access and high attack complexity but no privileges or user interaction. A remote, unauthenticated attacker can inject malicious SQL payloads via the vulnerable parameter, leading to arbitrary code execution on the affected system.

Mitigation is addressed in a GitHub pull request for the openSIS-Classic repository at https://github.com/OS4ED/openSIS-Classic/pull/330. Security practitioners should review the vendor's site at https://www.os4ed.com/ for additional guidance and apply patches promptly to vulnerable installations.

EU & UK References

Vulnerability details

SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web app (Ajax.php) directly enables remote unauthenticated exploitation for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

os4ed
opensis
9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation of untrusted inputs like the id parameter in Ajax.php.

prevent

SI-2 ensures timely remediation of the specific flaw in openSIS v9.1 via patches from the vendor pull request.

preventdetect

SC-7 provides boundary protection that can inspect and block SQL injection payloads targeting the Ajax.php endpoint.

References