Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Nominas 0.27 allows attackers to steal database information
CVE-2018-25194
Summary
An unauthenticated attacker can steal sensitive database information, including usernames, database names, and version details, by sending a malicious request to the login system. This is a serious issue because it allows an attacker to gather sensitive information about your database. Update to a fixed version of Nominas to protect your database.
Original title
Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can...
Original description
Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection payloads to extract database information including usernames, database names, and version details.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-22
Path Traversal
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026