Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in KLiK SocialMediaWebsite 1.0. This affects an unknown part of the component HTTP GET Request Parameter Handler. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
AnalysisAI
Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.
Technical ContextAI
KLiK SocialMediaWebsite 1.0 is identified via CPE cpe:2.3:a:n/a:klik_socialmediawebsite:*:*:*:*:*:*:*:* - the vendor field resolving to 'n/a' indicates this is likely a community or open-source project with no formal vendor namespace in the NVD CPE dictionary. The vulnerability resides in the HTTP GET Request Parameter Handler, the component responsible for processing URL query string parameters before downstream use. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection) identifies the root cause: user-supplied GET parameter values are not properly sanitized or neutralized before being passed to a downstream context, allowing injected special elements to alter the intended processing logic. This CWE is a parent class covering sub-types such as SQL injection, OS command injection, cross-site scripting, and template injection; the exact downstream context (database, shell, HTML renderer) is not confirmed in available data. The CVSS 4.0 vector specifies AT:N (no attack requirements beyond network access) and AC:L (low attack complexity), indicating the injection point is reliably reachable and does not require unusual application state.
RemediationAI
No vendor-released patch is identified at time of analysis - the CPE vendor field is 'n/a' and no patch references appear in the VulDB submission set (https://vuldb.com/submit/813723, /813730, /813731, /813732) or NVD entry. Given the absence of a maintained vendor, organizations running KLiK SocialMediaWebsite 1.0 should consider replacing it with an actively maintained alternative. As a specific compensating control, input validation and output encoding should be applied to all HTTP GET parameters at the web application firewall or reverse proxy layer (e.g., ModSecurity with OWASP CRS rules targeting CWE-74 injection patterns); note this may block legitimate parameterized requests if rules are too broad and requires tuning. Additionally, restricting the application to authenticated sessions only would eliminate the PR:N attack surface, though this may conflict with intended public-facing functionality. If the application is not in active use, decommissioning or taking it offline eliminates exposure entirely.
More in Klik Socialmediawebsite
View allKLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection via the profile.php. Rated high severity (CVSS 8.8
A reflected cross-site scripting (XSS) vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious J
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting (XSS) vulnerability which may
Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP PO
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation v
A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaS
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31625
GHSA-p36m-2qm6-9pq8