phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.
PUBLISHED5.2CWE-22
phpTransformer 2016.9 SQL Injection via GeneratePDF.php
Problem type
Affected products
Phptransformer
phpTransformer
2016.9 - AFFECTED
References
ExploitDB-46191
https://www.exploit-db.com/exploits/46191
Official Product Homepage
http://phptransformer.com/
Product Reference
https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip
VulnCheck Advisory: phpTransformer 2016.9 SQL Injection via GeneratePDF.php
https://www.vulncheck.com/advisories/phptransformer-sql-injection-via-generatepdf-php
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25578Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25578",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-03-21T15:30:37.160Z",
"dateReserved": "2026-03-21T15:25:19.390Z",
"datePublished": "2026-03-21T15:30:37.160Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-03-21T15:30:37.160Z"
},
"title": "phpTransformer 2016.9 SQL Injection via GeneratePDF.php",
"descriptions": [
{
"lang": "en",
"value": "phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries."
}
],
"affected": [
{
"vendor": "Phptransformer",
"product": "phpTransformer",
"versions": [
{
"version": "2016.9",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/46191",
"name": "ExploitDB-46191",
"tags": [
"exploit"
]
},
{
"url": "http://phptransformer.com/",
"name": "Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip",
"name": "Product Reference",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/phptransformer-sql-injection-via-generatepdf-php",
"name": "VulnCheck Advisory: phpTransformer 2016.9 SQL Injection via GeneratePDF.php",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "Ihsan Sencan",
"type": "finder"
}
]
}
}
}