Fikir Odalari AdminPando is affected by a maximum-severity SQL injection vulnerability that allows unauthenticated attackers to seize full administrative control and deface public content.

The username and password parameters in the login functionality are susceptible to SQL injection. An unauthenticated attacker can use crafted SQL queries to bypass the authentication mechanism entirely.

This vulnerability carries a CVSS score of 10.0, representing the highest possible risk. Successful exploitation allows an attacker to gain full administrative privileges, enabling them to manipulate the underlying database, steal user information, and modify the public-facing website’s HTML/DOM. This can lead to massive reputational damage and total loss of data confidentiality.

Immediate Action: Apply the vendor-provided patch released on or after January 26, 2026, which implements prepared statements and input sanitization.

Proactive Monitoring: Review database logs for suspicious queries containing SQL keywords like UNION, SELECT, or ' OR '1'='1'.

Compensating Controls: Implement a Web Application Firewall (WAF) with aggressive SQL injection protection profiles to intercept malicious login attempts.

Public Exploit Available: false

Immediate patching is mandatory for all AdminPando installations. Because this flaw allows for complete system takeover and public website manipulation, administrators should also conduct a forensic audit to ensure the system has not already been compromised via this vector.