{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6490/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6490"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["QueryMine SMS"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2026-6490","querymine"],"_cs_type":"advisory","_cs_vendors":["QueryMine"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-6490, has been discovered in QueryMine sms, affecting versions up to 7ab5a9ea196209611134525ffc18de25c57d9593. The vulnerability resides in the \u003ccode\u003eadmin/deletecourse.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eID\u003c/code\u003e GET request parameter.  Successful exploitation allows a remote attacker to inject arbitrary SQL commands. This vulnerability has a publicly available exploit, which significantly increases the likelihood of exploitation. Due to the rolling release model of QueryMine, specific affected versions are not clearly defined. The vendor was notified but did not respond. This poses a significant risk, potentially enabling attackers to compromise sensitive data and system integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable QueryMine SMS instance running a version up to 7ab5a9ea196209611134525ffc18de25c57d9593.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003eadmin/deletecourse.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003eID\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the malicious \u003ccode\u003eID\u003c/code\u003e parameter to the vulnerable SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database, potentially allowing the attacker to bypass authentication and access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may extract user credentials, course data, or other confidential information.\u003c/li\u003e\n\u003cli\u003eThe attacker could modify or delete data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the SQL injection to gain further access to the server or escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to unauthorized access to sensitive student and administrative data, modification or deletion of critical course information, and potential compromise of the entire QueryMine SMS system. Given that publicly available exploit code exists, the risk of widespread exploitation is elevated. The lack of specific versioning information makes identifying vulnerable installations challenging. If successful, this could allow an attacker to use the database server as an entry point into the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server access logs for suspicious GET requests to \u003ccode\u003eadmin/deletecourse.php\u003c/code\u003e containing unusual characters or SQL keywords in the \u003ccode\u003eID\u003c/code\u003e parameter; deploy the provided Sigma rule to detect this activity.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003eadmin/deletecourse.php\u003c/code\u003e to mitigate SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for SQL errors originating from the \u003ccode\u003eadmin/deletecourse.php\u003c/code\u003e script, which could indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eSince patching information is unavailable, consider web application firewall (WAF) rules to filter out malicious SQL injection attempts targeting the \u003ccode\u003eID\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-21T12:00:00Z","date_published":"2024-01-21T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-21-querymine-sqli/","summary":"A remote SQL injection vulnerability exists in QueryMine sms up to version 7ab5a9ea196209611134525ffc18de25c57d9593 within the admin/deletecourse.php file, caused by improper handling of the ID GET request parameter, potentially leading to unauthorized data access or modification.","title":"QueryMine SMS SQL Injection Vulnerability (CVE-2026-6490)","url":"https://feed.craftedsignal.io/briefs/2024-01-21-querymine-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-6490","version":"https://jsonfeed.org/version/1.1"}