CVE-2019-25438

moderate-risk

Published 2026-02-20

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.

Do I need to act?

0.56% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Labcollector

Affected Vendors

Agilebio

References (3)

Product https://labcollector.com/

Exploit https://www.exploit-db.com/exploits/47460

Third Party Advisory https://www.vulncheck.com/advisories/labcollector-sql-injection-via-loginphp

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal