Skip to main content

Antaris

1 CVEs product

Monthly

CVE-2026-15502 MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy