CVE-2025-10878 - Vulnerability Details

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Insaat	Fikir Odalari Adminpando
Omran	Fikir Odalari Adminpando

Configuration 1 [-]

cpe:2.3:a:omran:fikir_odalari_adminpando:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi
https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/

History

Thu, 12 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Omran Omran fikir Odalari Adminpando
CPEs		cpe:2.3:a:omran:fikir_odalari_adminpando::::::::
Vendors & Products		Omran Omran fikir Odalari Adminpando

Wed, 04 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Insaat Insaat fikir Odalari Adminpando
Vendors & Products		Insaat Insaat fikir Odalari Adminpando

Tue, 03 Feb 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
Weaknesses		CWE-89
References		https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-03T00:00:00.000Z

Updated: 2026-02-04T16:09:29.359Z

Reserved: 2025-09-23T00:00:00.000Z

Link: CVE-2025-10878

Vulnrichment

Updated: 2026-02-04T16:09:25.300Z

NVD

Status : Analyzed

Published: 2026-02-03T20:15:55.837

Modified: 2026-02-12T17:37:05.497

Link: CVE-2025-10878

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object