CVE-2019-25438 HIGH

CVE-2019-25438: LabCollector 5.423 SQL Injection via login.php

Vendor Labcollector

Product LabCollector

Weakness CWE-89 · SQLi

Published February 20, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25438

Related vulnerabilities

04Related CVE

CVE-2020-37035 e-learning Php Script 0.1.0 - 'search' SQL Injection CVE-2024-7748 SourceCodester Accounts Manager App delete-account.php sql injection CVE-2025-2602 SourceCodester Kortex Lite Advocate Office Management System deactivate_reg.php sql injection CVE-2024-31460 Cacti SQL Injection vulnerability in lib/api_automation.php caused by reading dirty data stored in database CVE-2025-47608 WordPress Recover abandoned cart for WooCommerce plugin <= 2.5 - SQL Injection Vulnerability