<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-6490 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-6490/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 21 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-6490/feed.xml" rel="self" type="application/rss+xml"/><item><title>QueryMine SMS SQL Injection Vulnerability (CVE-2026-6490)</title><link>https://feed.craftedsignal.io/briefs/2024-01-21-querymine-sqli/</link><pubDate>Sun, 21 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-21-querymine-sqli/</guid><description>A remote SQL injection vulnerability exists in QueryMine sms up to version 7ab5a9ea196209611134525ffc18de25c57d9593 within the admin/deletecourse.php file, caused by improper handling of the ID GET request parameter, potentially leading to unauthorized data access or modification.</description><content:encoded><![CDATA[<p>A SQL injection vulnerability, identified as CVE-2026-6490, has been discovered in QueryMine sms, affecting versions up to 7ab5a9ea196209611134525ffc18de25c57d9593. The vulnerability resides in the <code>admin/deletecourse.php</code> file and is triggered by manipulating the <code>ID</code> GET request parameter.  Successful exploitation allows a remote attacker to inject arbitrary SQL commands. This vulnerability has a publicly available exploit, which significantly increases the likelihood of exploitation. Due to the rolling release model of QueryMine, specific affected versions are not clearly defined. The vendor was notified but did not respond. This poses a significant risk, potentially enabling attackers to compromise sensitive data and system integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable QueryMine SMS instance running a version up to 7ab5a9ea196209611134525ffc18de25c57d9593.</li>
<li>The attacker crafts a malicious HTTP GET request targeting the <code>admin/deletecourse.php</code> file.</li>
<li>The crafted request includes a manipulated <code>ID</code> parameter containing SQL injection payloads.</li>
<li>The web server processes the request and passes the malicious <code>ID</code> parameter to the vulnerable SQL query without proper sanitization.</li>
<li>The injected SQL code is executed against the database, potentially allowing the attacker to bypass authentication and access sensitive data.</li>
<li>The attacker may extract user credentials, course data, or other confidential information.</li>
<li>The attacker could modify or delete data within the database.</li>
<li>The attacker could potentially use the SQL injection to gain further access to the server or escalate privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability could lead to unauthorized access to sensitive student and administrative data, modification or deletion of critical course information, and potential compromise of the entire QueryMine SMS system. Given that publicly available exploit code exists, the risk of widespread exploitation is elevated. The lack of specific versioning information makes identifying vulnerable installations challenging. If successful, this could allow an attacker to use the database server as an entry point into the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Inspect web server access logs for suspicious GET requests to <code>admin/deletecourse.php</code> containing unusual characters or SQL keywords in the <code>ID</code> parameter; deploy the provided Sigma rule to detect this activity.</li>
<li>Implement input validation and sanitization measures for the <code>ID</code> parameter in <code>admin/deletecourse.php</code> to mitigate SQL injection vulnerabilities.</li>
<li>Monitor web server logs for SQL errors originating from the <code>admin/deletecourse.php</code> script, which could indicate attempted exploitation.</li>
<li>Since patching information is unavailable, consider web application firewall (WAF) rules to filter out malicious SQL injection attempts targeting the <code>ID</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-application</category><category>cve-2026-6490</category><category>querymine</category></item></channel></rss>