Pmb Services
Products
2- 16 CVEs
- 1 CVE
Recent CVEs
17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36970 | Hig | 0.55 | 8.4 | 0.00 | Jan 28, 2026 | PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted… | ||
| CVE-2020-37105 | Hig | 0.46 | 7.1 | 0.00 | Feb 3, 2026 | PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the… | ||
| CVE-2007-1415 | 0.04 | — | 0.09 | Mar 12, 2007 | Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c)… | |||
| CVE-2014-9457 | 0.03 | — | 0.01 | Jan 2, 2015 | SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php. | |||
| CVE-2023-53982 | 0.00 | — | 0.01 | Dec 23, 2025 | PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information… | |||
| CVE-2025-61167 | 0.00 | — | 0.00 | Nov 25, 2025 | SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters. | |||
| CVE-2025-61168 | 0.00 | — | 0.00 | Nov 25, 2025 | An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | |||
| CVE-2025-48743 | 0.00 | — | 0.00 | May 27, 2025 | SIGB PMB before 8.0.1.2 allows SQL injection. | |||
| CVE-2025-48742 | 0.00 | — | 0.00 | May 27, 2025 | The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution. | |||
| CVE-2025-0472 | 0.00 | — | 0.00 | Jan 16, 2025 | Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response. | |||
| CVE-2024-26289 | 0.00 | — | 0.01 | May 27, 2024 | Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18. | |||
| CVE-2023-37177 | 0.00 | — | 0.01 | Feb 21, 2024 | SQL Injection vulnerability in PMB Services PMB v.7.4.7 and before allows a remote unauthenticated attacker to execute arbitrary code via the query parameter in the /admin/convert/export_z3950.php endpoint. | |||
| CVE-2023-51828 | 0.00 | — | 0.01 | Feb 21, 2024 | A SQL Injection vulnerability in /admin/convert/export.class.php in PMB 7.4.7 and earlier versions allows remote unauthenticated attackers to execute arbitrary SQL commands via the query parameter in get_next_notice function. | |||
| CVE-2023-52154 | 0.00 | — | 0.01 | Feb 21, 2024 | File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files. | |||
| CVE-2023-38844 | 0.00 | — | 0.01 | Feb 21, 2024 | SQL injection vulnerability in PMB v.7.4.7 and earlier allows a remote attacker to execute arbitrary code via the thesaurus parameter in export_skos.php. | |||
| CVE-2023-52155 | 0.00 | — | 0.01 | Feb 21, 2024 | A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint. | |||
| CVE-2023-52153 | 0.00 | — | 0.01 | Feb 21, 2024 | A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value. |
- risk 0.55cvss 8.4epss 0.00
PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted…
- risk 0.46cvss 7.1epss 0.00
PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the…
- CVE-2007-1415Mar 12, 2007risk 0.04cvss —epss 0.09
Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c)…
- CVE-2014-9457Jan 2, 2015risk 0.03cvss —epss 0.01
SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php.
- CVE-2023-53982Dec 23, 2025risk 0.00cvss —epss 0.01
PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information…
- CVE-2025-61167Nov 25, 2025risk 0.00cvss —epss 0.00
SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.
- CVE-2025-61168Nov 25, 2025risk 0.00cvss —epss 0.00
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.
- CVE-2025-48743May 27, 2025risk 0.00cvss —epss 0.00
SIGB PMB before 8.0.1.2 allows SQL injection.
- CVE-2025-48742May 27, 2025risk 0.00cvss —epss 0.00
The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution.
- CVE-2025-0472Jan 16, 2025risk 0.00cvss —epss 0.00
Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.
- CVE-2024-26289May 27, 2024risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.
- CVE-2023-37177Feb 21, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in PMB Services PMB v.7.4.7 and before allows a remote unauthenticated attacker to execute arbitrary code via the query parameter in the /admin/convert/export_z3950.php endpoint.
- CVE-2023-51828Feb 21, 2024risk 0.00cvss —epss 0.01
A SQL Injection vulnerability in /admin/convert/export.class.php in PMB 7.4.7 and earlier versions allows remote unauthenticated attackers to execute arbitrary SQL commands via the query parameter in get_next_notice function.
- CVE-2023-52154Feb 21, 2024risk 0.00cvss —epss 0.01
File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files.
- CVE-2023-38844Feb 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in PMB v.7.4.7 and earlier allows a remote attacker to execute arbitrary code via the thesaurus parameter in export_skos.php.
- CVE-2023-52155Feb 21, 2024risk 0.00cvss —epss 0.01
A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint.
- CVE-2023-52153Feb 21, 2024risk 0.00cvss —epss 0.01
A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value.