Which versions of PHP are affected by CVE-2018-25196?

ServerZilla 1.0 contains a critical SQL injection vulnerability (CVE-2018-25196) that allows unauthenticated attackers to compromise database integrity and access sensitive data without…

Is there a public PoC exploit available for CVE-2018-25196?

Yes, a public proof-of-concept exploit is available for CVE-2018-25196. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2018-25196?

Within 24 hours: Identify all systems running ServerZilla 1.0 and isolate them from production networks if possible; enable database activity monitoring and query logging. Within 7 days: Implement WAF rules to block SQL injection patterns in the email parameter; restrict network access to ServerZilla instances to authorized users only; conduct database integrity audit for unauthorized modifications. Within 30 days: Migrate to an alternative, supported product or evaluate ServerZilla's successor versions for patched releases; if no upgrade path exists, establish timeline for decommissioning affected systems.

PHP CVE-2018-25196

Q: What is the CVSS score of CVE-2018-25196?

CVE-2018-25196 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

HIGH

SQL Injection (CWE-89)

2026-03-06 disclosure@vulncheck.com

PHP SQLi

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

8.2 (HIGH) 8.8 (HIGH)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:16 nvd

HIGH 8.2

DescriptionNVD

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authentication and extract sensitive database information.

AnalysisAI

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. [CVSS 8.2 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authentication and extract sensitive database information.

Affected ProductsAI

Component: email.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2018-25196 vulnerability details – vuln.today

Back

PHP CVE-2018-25196

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

PHP CVE-2018-25196

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code