Is there a public PoC exploit available for CVE-2018-25176?

Yes, a public proof-of-concept exploit is available for CVE-2018-25176. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2018-25176?

Within 24 hours: Inventory all systems running Alive Parish 2.0.4 and isolate affected instances from production networks if possible; disable the search endpoint or restrict access to trusted IPs only. Within 7 days: Deploy WAF rules to block SQL injection patterns in the search parameter; implement database query logging and monitoring for anomalous activity. Within 30 days: Upgrade to a patched version if available, migrate to an alternative solution, or implement comprehensive input validation and parameterized queries if source code access permits.

CVE-2018-25176

Q: What is the CVSS score of CVE-2018-25176?

CVE-2018-25176 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-03-06 disclosure@vulncheck.com

RCE SQLi CSRF

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

8.2 (HIGH) 8.8 (HIGH)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:15 nvd

HIGH 8.2

DescriptionNVD

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.

AnalysisAI

Technical ContextAI

Classified as CWE-352 (Cross-Site Request Forgery (CSRF)). Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.

Affected ProductsAI

Component: key.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2018-25176 vulnerability details – vuln.today

Back

CVE-2018-25176

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

CVE-2018-25176

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code