CVE-2023-53982 CRITICAL

CVE-2023-53982: PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter

Vendor Sigb
Product PMB
Weakness CWE-89 · SQLi
Published December 23, 2025
Last update March 5, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks.

Key dates

02Disclosure timeline

December 23, 2025 CVE published
March 5, 2026 Record updated