Zchat 1.5 Pre-Auth Time-based Blind SQL Injection via v Parameter

Zchat 1.5 SQL Injection Vulnerability Summary Vulnerability Overview Vulnerability Name: Zchat 1.5 SQL Injection via v parameter (time-based blind) Vulnerability Type: SQL Injection (time-based blind) Severity: HIGH Release Date: May 17, 2026 CVSS v4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VSA:N/SC:N/SI:N/SA:N Scope of Impact Affected Software: Zchat 1.5 Attack Conditions: No authentication required Attack Vector: Injection via the parameter Attack Impact: Attackers can exploit time-based blind injection techniques to extract database information Remediation Official Product Homepage: Official Product Homepage (Note: The actual link must be retrieved from the original page) Recommended Measures: - Update Zchat to a secure version - Perform strict input validation and filtering on the parameter - Use parameterized queries or prepared statements to prevent SQL injection References CVE ID: CVE-2018-23339 Related CVE: CVE-89 (Improper Neutralization of Special Elements used in an SQL Command) Reporter: Borna nematzadeh (LORD) / borna.nematzadeh123@gmail.com Technical Description The parameter in Zchat 1.5 contains a SQL injection vulnerability, allowing unauthenticated attackers to extract database information using time-based blind injection techniques. Attackers can confirm the vulnerability and extract data through time-based blind injection.

Goal Reached Thanks to every supporter — we hit 100%!

Zchat 1.5 Pre-Auth Time-based Blind SQL Injection via v Parameter