CVE-2018-25170 HIGH

CVE-2018-25170: DoceboLMS 1.2 SQL Injection via lesson.php

Vendor Spaghettilearning

Product DoceboLMS

Weakness CWE-352 · CSRF

Published March 6, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. Attackers can send GET requests to the lesson.php endpoint with malicious SQL payloads to extract sensitive database information.

Key dates

Disclosure timeline

March 6, 2026 CVE published

March 9, 2026 Record updated