{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ezpublish-legacy--2019.03/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ezpublish-legacy (= 2019.03)"],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability"],"_cs_type":"advisory","_cs_vendors":["ezsystems"],"content_html":"\u003cp\u003eA SQL injection vulnerability exists within the \u003ccode\u003eezsystems/ezpublish-legacy\u003c/code\u003e application, specifically within the \u003ccode\u003edfscleanup.php\u003c/code\u003e script and the \u003ccode\u003e_getFileList\u003c/code\u003e function of the \u003ccode\u003eeZDFSFileHandlerMySQLiBackend\u003c/code\u003e class (located at \u003ccode\u003ekernel/private/classes/clusterfilehandlers/dfsbackends/mysqli.php\u003c/code\u003e). This vulnerability allows an attacker with local shell access and sufficient privileges to run \u003ccode\u003edfscleanup.php\u003c/code\u003e to perform a union-based SQL injection against the eZ Publish MySQL database. The identified vulnerability affects the 2019.03 branch of the software, and it may also affect other branches. However, it\u0026rsquo;s important to note that all tags and branches in this repository are past their end of life, and therefore, this vulnerability will not be patched. This poses a risk to organizations still using the affected software, potentially leading to the exposure of sensitive data, including user credentials. The vulnerability is tracked as CVE-2026-38739.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local shell access to the server hosting the vulnerable \u003ccode\u003eezpublish-legacy\u003c/code\u003e application.\u003c/li\u003e\n\u003cli\u003eAttacker obtains sufficient privileges to execute the \u003ccode\u003edfscleanup.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input to the \u003ccode\u003edfscleanup.php\u003c/code\u003e script, exploiting the SQL injection vulnerability in the \u003ccode\u003e_getFileList\u003c/code\u003e function of the \u003ccode\u003eeZDFSFileHandlerMySQLiBackend\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edfscleanup.php\u003c/code\u003e script executes the crafted SQL query against the eZ Publish MySQL database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection vulnerability allows the attacker to perform a union-based SQL injection, retrieving data beyond what is normally accessible.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive data from the database, such as user credentials and other confidential information.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted credentials to escalate privileges within the application or gain access to other systems.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the sensitive data, potentially causing further damage to the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to the exposure of sensitive data stored within the eZ Publish MySQL database, including user credentials, configuration details, and other confidential information. While the specific number of victims is unknown, any organization still running the affected \u003ccode\u003eezpublish-legacy\u003c/code\u003e version (2019.03 or potentially other branches) is at risk. If an attack succeeds, it could result in data breaches, unauthorized access to systems, and potential reputational damage to the targeted organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSince the software is past its end-of-life, patching is not an option. Consider migrating to a supported platform to remediate CVE-2026-38739.\u003c/li\u003e\n\u003cli\u003eMonitor execution of \u003ccode\u003edfscleanup.php\u003c/code\u003e with command line arguments containing SQL keywords to detect potential exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the report by Advens (\u003ca href=\"https://github.com/Goaterino/ezpublish-legacy-lab/blob/main/SQL%20injection%20and%20arbitrary%20file%20deletion%20in%20dfscleanup.md\"\u003ehttps://github.com/Goaterino/ezpublish-legacy-lab/blob/main/SQL%20injection%20and%20arbitrary%20file%20deletion%20in%20dfscleanup.md\u003c/a\u003e) for further details on the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T19:12:45Z","date_published":"2026-05-29T19:12:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ezpublish-sqli/","summary":"A SQL injection vulnerability exists in ezpublish-legacy, specifically in the dfscleanup.php script and the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class, allowing an attacker with local shell access to potentially expose sensitive data such as user credentials.","title":"SQL Injection Vulnerability in ezsystems ezpublish-legacy dfscleanup","url":"https://feed.craftedsignal.io/briefs/2026-05-ezpublish-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Ezpublish-Legacy (= 2019.03)","version":"https://jsonfeed.org/version/1.1"}