PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter

Advisories

severity: critical
date: December 23, 2025
Affecting: PMB 7.4.6
CVE: CVE-2023-53982
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: ExploitDB-51197
Vendor Homepage
Software Download Repository
Credit: str0xo DZ (Walid Ben)
Description: PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks.