Sql-Injection — CraftedSignal Threat Feed

Shandong Hoteam PDM Product Data Management System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 05:16:00 +0000

Shandong Hoteam Software’s PDM Product Data Management System before version 8.3.10 is susceptible to a SQL injection vulnerability. The vulnerability exists in the /Base/BaseService.asmx/DataService file, specifically affecting the GetQueryMachineGridOnePageData function. By manipulating the SortOrder argument, a remote attacker can inject malicious SQL queries into the system. Successful exploitation could lead to unauthorized data access, modification, or even complete system compromise. Organizations using versions prior to 8.3.10 are urged to upgrade immediately to mitigate the risk. This vulnerability was reported on May 4, 2026.

Attack Chain

Attacker identifies a vulnerable Shandong Hoteam PDM instance running a version prior to 8.3.10.
The attacker crafts a malicious HTTP request targeting the /Base/BaseService.asmx/DataService endpoint.
Within the HTTP request, the attacker modifies the SortOrder argument.
The SortOrder argument is injected with SQL code.
The application fails to properly sanitize the attacker-supplied SQL code.
The application executes the attacker-controlled SQL query against the backend database.
The attacker gains unauthorized access to sensitive data stored within the database.
The attacker exfiltrates the data or uses it for further malicious activities.

Impact

Successful exploitation of this SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands on the affected system. This can lead to unauthorized access to sensitive data, modification of data, or even complete compromise of the database server. Organizations using vulnerable versions of Shandong Hoteam PDM Product Data Management System could suffer significant data breaches, financial losses, and reputational damage. There are no specific victim counts or sector targeting available, but this could affect any organization utilizing the vulnerable PDM system.

Recommendation

Upgrade Shandong Hoteam Software PDM Product Data Management System to version 8.3.10 or later to remediate the vulnerability as mentioned in the overview.
Implement the provided Sigma rule Detect Hoteam PDM SQL Injection Attempt to identify malicious requests targeting the vulnerable endpoint.
Monitor web server logs for suspicious requests containing potentially malicious SQL syntax in the SortOrder parameter, as described in the attack chain.
Implement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in web applications, mitigating similar risks in the future.

Acrel ECEMS SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 12:15:59 +0000

Acrel Electrical’s ECEMS Enterprise Microgrid Energy Efficiency Management System version 1.3.0 is vulnerable to SQL injection. The vulnerability resides in the /SubstationWEBV2/main/elecMaxMinAvgValue file, where manipulation of the fCircuitids argument allows for the injection of arbitrary SQL commands. The vulnerability, identified as CVE-2026-7694, can be exploited remotely without authentication, posing a significant risk to systems exposed to the network. The vendor was notified but did not respond, and a public exploit is available, increasing the likelihood of exploitation. This flaw allows attackers to potentially access, modify, or delete sensitive data within the ECEMS database.

Attack Chain

Attacker identifies an accessible instance of Acrel ECEMS 1.3.0.
Attacker crafts a malicious SQL payload designed to extract sensitive information or modify the database.
The attacker sends a crafted HTTP request to /SubstationWEBV2/main/elecMaxMinAvgValue with the SQL payload embedded in the fCircuitids parameter.
The ECEMS application fails to properly sanitize the fCircuitids input.
The application executes the attacker-supplied SQL query against the database.
The database server processes the malicious query, potentially returning sensitive data or executing harmful commands.
The attacker receives the output of the injected SQL query.
The attacker uses the extracted information for further malicious activities, such as data exfiltration, privilege escalation, or denial of service.

Impact

Successful exploitation of this SQL injection vulnerability could allow an attacker to read sensitive information from the ECEMS database, modify existing data, or even gain administrative access to the system. This could lead to the compromise of energy efficiency management data, potentially impacting grid stability and financial records. Given the lack of vendor response and the availability of a public exploit, organizations using the affected software are at high risk. The impact includes potential data breaches, system outages, and reputational damage.

Recommendation

Inspect web server logs for suspicious requests to /SubstationWEBV2/main/elecMaxMinAvgValue containing potentially malicious SQL syntax within the fCircuitids parameter (see Sigma rule “Detect Acrel ECEMS SQL Injection Attempt”).
Deploy the Sigma rule “Detect SQL Injection Error Messages” to identify potential SQL injection attempts across all web applications.
Apply input validation and sanitization to all user-supplied input, especially the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue, to prevent SQL injection.
Consider deploying a web application firewall (WAF) to filter out malicious requests targeting this vulnerability.

Jinher OA 1.0 SQL Injection Vulnerability (CVE-2026-7670)

hello@craftedsignal.io — Sat, 02 May 2026 23:16:16 +0000

A SQL injection vulnerability, identified as CVE-2026-7670, affects Jinher OA 1.0, a web-based office automation software. The vulnerability resides within the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, specifically in how the application handles the ‘DeptIDList’ argument. An unauthenticated remote attacker can manipulate this argument to inject malicious SQL code into database queries. The vulnerability was reported to the vendor; however, there has been no response, and an exploit is publicly available. This lack of response and the availability of an exploit increases the risk to organizations using the affected Jinher OA 1.0.

Attack Chain

An attacker identifies a Jinher OA 1.0 instance exposed to the internet.
The attacker crafts a malicious HTTP GET or POST request targeting the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx endpoint.
The request includes a modified DeptIDList parameter containing SQL injection payloads.
The server-side application fails to properly sanitize or validate the DeptIDList input.
The unsanitized input is passed directly into a SQL query executed against the underlying database.
The injected SQL code is executed by the database server, potentially allowing the attacker to bypass authentication, extract sensitive data, or modify data.
The attacker retrieves sensitive information, such as user credentials, internal configurations, or financial data, depending on the database structure and injected SQL commands.
The attacker leverages compromised data to gain further access, escalate privileges, or conduct lateral movement within the organization’s network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7670) can lead to unauthorized access to sensitive data, including user credentials, financial records, and internal communications. An attacker could potentially gain complete control over the affected Jinher OA 1.0 system and the underlying database. This could result in significant data breaches, financial losses, reputational damage, and disruption of business operations. Given the lack of vendor response, organizations using Jinher OA 1.0 are particularly vulnerable and should take immediate action to mitigate this risk.

Recommendation

Inspect web server logs for requests to /C6/JHSoft.Web.PlanSummarize/UserSel.aspx containing suspicious characters or SQL keywords within the DeptIDList parameter, as covered by the Sigma rule “Detect Jinher OA SQL Injection Attempt via DeptIDList”.
Apply input validation and sanitization to all user-supplied data, especially the DeptIDList parameter in /C6/JHSoft.Web.PlanSummarize/UserSel.aspx, to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Generic SQL Injection Attempt” to identify broader SQL injection attempts across your web applications.
Given the vendor’s lack of response, consider isolating the affected Jinher OA 1.0 instance from the network or replacing it with a more secure alternative.

code-projects Online Hospital Management System SQL Injection Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 14:16:18 +0000

CVE-2026-7632 is a critical security flaw affecting code-projects Online Hospital Management System version 1.0. The vulnerability lies within the /viewappointment.php file, where insufficient input validation allows for SQL injection via the delid argument. A remote attacker can exploit this vulnerability to inject arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly disclosed, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected system, as it could compromise sensitive patient data and disrupt hospital operations.

Attack Chain

The attacker identifies an instance of code-projects Online Hospital Management System 1.0 running the vulnerable /viewappointment.php script.
The attacker crafts a malicious HTTP request targeting /viewappointment.php with a specially crafted delid parameter containing SQL injection payloads.
The application fails to properly sanitize the delid input, allowing the injected SQL code to be passed to the database.
The injected SQL code is executed against the database server.
The attacker retrieves sensitive data such as patient records, usernames, and passwords from the database using SQL queries like UNION SELECT.
The attacker may modify or delete data within the database.
The attacker could potentially escalate privileges within the application by manipulating user roles or injecting administrative accounts.

Impact

Successful exploitation of CVE-2026-7632 can lead to severe consequences, including unauthorized access to sensitive patient data, such as medical history, personal information, and financial records. Attackers could modify or delete critical data, disrupting hospital operations and potentially impacting patient care. The vulnerability could also allow attackers to gain control of the system, leading to further malicious activities like data exfiltration or ransomware deployment. This poses a significant risk to the privacy and security of patient information.

Recommendation

Deploy the Sigma rule Detect SQL Injection in Online Hospital Management System to your SIEM to identify exploitation attempts targeting the /viewappointment.php endpoint.
Implement input validation and sanitization measures in the /viewappointment.php script to prevent SQL injection attacks.
Upgrade to a patched version of code-projects Online Hospital Management System that addresses CVE-2026-7632 (if available).

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the SearchResults hook, where the map_post_type parameter is mishandled. Specifically, the code first calls stripslashes_deep($_POST), effectively removing WordPress’s magic quotes protection. Subsequently, the unsanitized map_post_type value is directly concatenated into an IN(...) clause without proper escaping using esc_sql() or $wpdb->prepare(). While the ‘any’ branch of the code correctly applies array_map('esc_sql', ...), the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin’s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.

Attack Chain

The attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (<= 1.13.18) with the Geo Search feature enabled.
The attacker crafts a malicious HTTP POST request targeting the SearchResults hook with a specially crafted map_post_type parameter containing SQL injection payload.
The vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using stripslashes_deep($_POST).
The unsanitized map_post_type value is then concatenated directly into an SQL query within an IN(...) clause without proper escaping.
The injected SQL code executes within the database query, allowing the attacker to manipulate the query’s behavior.
The attacker uses time-based SQL injection techniques (e.g., IF(condition, SLEEP(5), 0)) within the injected payload to infer information based on the response time.
By repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.
The attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

Upgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.
Deploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable SearchResults hook using a malicious map_post_type parameter.
Review web server logs for suspicious POST requests to /wp-admin/admin-ajax.php (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the map_post_type parameter.

SQL Injection Vulnerability in itsourcecode Courier Management System

hello@craftedsignal.io — Fri, 01 May 2026 20:16:24 +0000

itsourcecode Courier Management System 1.0 is vulnerable to a SQL injection vulnerability. The vulnerability resides in the /edit_staff.php file and can be exploited by manipulating the ID argument. This allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly available, increasing the risk of exploitation. The vulnerability was reported on May 1, 2026, and affects version 1.0 of the Courier Management System.

Attack Chain

The attacker identifies the /edit_staff.php endpoint in the Courier Management System 1.0.
The attacker crafts a malicious SQL injection payload within the ID parameter of a HTTP GET or POST request.
The attacker sends the crafted request to the /edit_staff.php endpoint.
The application fails to properly sanitize the ID parameter, allowing the SQL injection payload to be processed by the database.
The injected SQL query is executed against the database, potentially allowing the attacker to bypass authentication or authorization controls.
The attacker retrieves sensitive information from the database, such as user credentials, financial records, or other confidential data.
The attacker modifies data in the database, potentially altering application behavior or causing data corruption.
The attacker gains full control of the database server.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to read, modify, or delete sensitive data within the Courier Management System database. This could lead to unauthorized access to customer information, financial data, and other confidential records. Given the public availability of the exploit, organizations using Courier Management System 1.0 are at a high risk of compromise.

Recommendation

Apply input validation and sanitization to the ID parameter in /edit_staff.php to prevent SQL injection (CVE-2026-7592).
Deploy the provided Sigma rule to detect potential SQL injection attempts targeting the /edit_staff.php endpoint.
Implement a web application firewall (WAF) rule to block known SQL injection payloads (CVE-2026-7592).

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 05:16:03 +0000

On May 1, 2026, a SQL injection vulnerability, CVE-2026-7549, was disclosed in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides in the /ajax.php?action=delete_customer endpoint, where the ID parameter is susceptible to manipulation, enabling remote attackers to inject arbitrary SQL commands. Publicly available exploit code exists, increasing the risk of exploitation. Successful exploitation can lead to unauthorized data access, modification, or deletion within the application’s database. This vulnerability is particularly concerning due to the sensitive nature of pharmacy data, potentially impacting confidentiality, integrity, and availability.

Attack Chain

Attacker identifies the vulnerable /ajax.php?action=delete_customer endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0.
Attacker crafts a malicious HTTP request targeting the vulnerable endpoint.
The malicious request includes a manipulated ID parameter containing a SQL injection payload.
The application fails to properly sanitize the ID parameter before incorporating it into a SQL query.
The injected SQL code is executed against the application’s database.
The attacker gains unauthorized access to sensitive data, such as customer information, prescription details, or inventory levels.
The attacker may modify or delete data within the database, potentially disrupting pharmacy operations or causing data integrity issues.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7549) can lead to the complete compromise of the SourceCodester Pharmacy Sales and Inventory System database. Attackers could potentially exfiltrate sensitive patient data, modify prescription information, or disrupt pharmacy operations by deleting critical data. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of victims and specific sectors targeted remain unknown, but any pharmacy using the affected version is potentially at risk.

Recommendation

Apply input validation and sanitization to all user-supplied input, especially the ID parameter in /ajax.php?action=delete_customer, to prevent SQL injection (CWE-89).
Deploy the Sigma rule “Detect SQL Injection Attempts in Pharmacy Sales System” to identify and block malicious requests targeting the vulnerable endpoint.
Upgrade to a patched version of SourceCodester Pharmacy Sales and Inventory System that addresses CVE-2026-7549 once available.
Monitor web server logs for suspicious activity, such as unusual requests to /ajax.php?action=delete_customer, to detect potential exploitation attempts.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 05:16:03 +0000

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection via the /ajax.php?action=save_customer endpoint. Disclosed on May 1, 2026, the vulnerability, identified as CVE-2026-7550, allows unauthenticated remote attackers to inject arbitrary SQL commands by manipulating the ID argument. The vulnerability exists due to insufficient input validation. Public exploit code is available, increasing the risk of exploitation. This vulnerability allows attackers to potentially read, modify, or delete sensitive data within the application’s database.

Attack Chain

The attacker identifies the vulnerable endpoint /ajax.php?action=save_customer within the Pharmacy Sales and Inventory System 1.0 application.
The attacker crafts a malicious HTTP GET or POST request targeting the /ajax.php?action=save_customer endpoint.
The crafted request includes a manipulated ID parameter designed to inject SQL commands.
The application fails to properly sanitize the input provided in the ID parameter.
The application executes the attacker-supplied SQL code against the database.
The attacker can retrieve sensitive information, such as customer details, product information, or administrative credentials.
The attacker may modify existing data, such as prices or inventory levels.
The attacker may gain complete control of the database, potentially leading to full system compromise.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7550) can lead to unauthorized access to sensitive data, data modification, or complete database compromise. This could result in financial losses, reputational damage, and legal repercussions for affected organizations. Given the nature of the application, attackers could potentially access patient data or prescription information, leading to severe privacy breaches.

Recommendation

Apply input validation and sanitization to the ID parameter in the /ajax.php?action=save_customer endpoint to prevent SQL injection attacks.
Monitor web server logs for suspicious requests targeting the /ajax.php?action=save_customer endpoint with unusual ID parameter values. Deploy the provided Sigma rule to detect potential exploitation attempts.
Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting this vulnerability.
Upgrade to a patched version of the SourceCodester Pharmacy Sales and Inventory System once available.
Implement regular database backups to mitigate potential data loss due to successful exploitation.

XATABoost CMS 1.0.0 SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

XATABoost CMS 1.0.0 is susceptible to a union-based SQL injection vulnerability (CVE-2018-25300). This flaw enables unauthenticated attackers to inject malicious SQL code through the id parameter in news.php via GET requests. By crafting specific payloads, attackers can manipulate database queries to extract sensitive information. This vulnerability poses a significant risk, as it could lead to data breaches, account compromise, and further exploitation of the affected system. The targeted exploitation vector is the news.php file, making it a critical area for monitoring and mitigation.

Attack Chain

An unauthenticated attacker identifies the news.php endpoint.
The attacker crafts a malicious GET request targeting the id parameter within news.php. This payload contains SQL injection code.
The server-side application fails to properly sanitize the id parameter before constructing the SQL query.
The injected SQL code is executed against the database.
The attacker uses UNION clauses to extract sensitive information from other database tables.
The extracted data is returned as part of the HTTP response.
The attacker parses the HTTP response to retrieve the exfiltrated data.
The attacker uses the exfiltrated data for further malicious activities (e.g., privilege escalation, lateral movement).

Impact

Successful exploitation of this SQL injection vulnerability can result in the unauthorized disclosure of sensitive information stored in the XATABoost CMS database. This includes user credentials, financial data, or other confidential information. The impact could range from a single compromised system to a full-scale data breach, depending on the scope and sensitivity of the data stored within the database. Without further context on affected deployments, the number of potential victims is hard to quantify, but any public-facing XATABoost CMS 1.0.0 instance is vulnerable.

Recommendation

Deploy the Sigma rule Detect XATABoost CMS SQL Injection Attempt to identify malicious GET requests targeting the news.php endpoint and tune for your environment.
Implement input validation and sanitization on the id parameter in the news.php file to prevent SQL injection attacks.
Upgrade to a patched version of XATABoost CMS or implement a web application firewall (WAF) rule to mitigate the vulnerability.
Monitor web server logs for suspicious activity related to news.php and unusual SQL queries.
Review and restrict database user permissions to minimize the impact of successful SQL injection attacks.

EyouCMS SQL Injection Vulnerability (CVE-2026-7389)

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:29 +0000

A security vulnerability, CVE-2026-7389, has been identified in EyouCMS, specifically affecting versions up to 1.7.9. This vulnerability stems from insufficient sanitization of user-supplied input passed to the sort_asc argument of the GetSortData function located in the application/common.php file. An unauthenticated, remote attacker can exploit this vulnerability to inject malicious SQL queries into the application. Publicly available exploits increase the risk of widespread exploitation. The project maintainers were notified but have not yet addressed the issue, making timely detection and mitigation critical for defenders.

Attack Chain

The attacker identifies an EyouCMS instance running a vulnerable version (<= 1.7.9).
The attacker crafts a malicious HTTP request targeting the GetSortData function within application/common.php.
The crafted request includes a manipulated sort_asc argument containing a SQL injection payload.
The application processes the request without proper sanitization of the sort_asc parameter.
The unsanitized input is incorporated into a SQL query executed by the application.
The injected SQL code modifies the query logic, allowing the attacker to potentially bypass authentication.
The attacker can read sensitive data from the database, such as user credentials or configuration information.
The attacker may escalate privileges or gain complete control of the database server, leading to data exfiltration or service disruption.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7389) could allow an attacker to read, modify, or delete sensitive data stored in the EyouCMS database. This could include user credentials, financial information, or other confidential data. Since an exploit is publicly available, organizations using vulnerable versions of EyouCMS are at increased risk of compromise, potentially leading to data breaches, financial loss, and reputational damage.

Recommendation

Deploy the Sigma rule Detect EyouCMS SQL Injection via sort_asc Parameter to identify exploitation attempts in web server logs.
Inspect web server logs for suspicious requests targeting application/common.php with unusual parameters in the sort_asc argument based on the Sigma rule.
Apply input validation and sanitization to the sort_asc parameter in the GetSortData function to prevent SQL injection.

dubydu sqlite-mcp SQL Injection Vulnerability (CVE-2026-7206)

hello@craftedsignal.io — Tue, 28 Apr 2026 01:16:02 +0000

A SQL injection vulnerability, identified as CVE-2026-7206, has been discovered in dubydu’s sqlite-mcp software, affecting versions up to 0.1.0. The vulnerability resides within the extract_to_json function located in the src/entry.py file. An attacker can exploit this flaw by manipulating the output_filename argument, leading to the execution of arbitrary SQL commands. This vulnerability is remotely exploitable, meaning an attacker does not need local access to the system. A proof-of-concept exploit is publicly available, increasing the risk of active exploitation. Applying patch a5580cb992f4f6c308c9ffe6442b2e76709db548 is the recommended remediation.

Attack Chain

An attacker identifies a vulnerable instance of dubydu sqlite-mcp running a version prior to the patched version.
The attacker crafts a malicious request targeting the extract_to_json function in src/entry.py.
The attacker injects SQL code into the output_filename argument of the request.
The application processes the attacker-supplied output_filename argument without proper sanitization.
The unsanitized input is passed directly to the underlying SQLite database engine.
The SQLite database executes the injected SQL commands, potentially allowing the attacker to read sensitive data, modify data, or execute system commands, depending on the application’s privileges and database configuration.
The attacker retrieves the results of the injected SQL query, such as extracted data or confirmation of successful command execution.
The attacker leverages the compromised database to achieve further objectives, such as data exfiltration or privilege escalation.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7206) can allow an attacker to execute arbitrary SQL queries against the underlying SQLite database. This could lead to the disclosure of sensitive information, modification of data, or even complete compromise of the application and the system it resides on. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. Given the public availability of an exploit, affected systems are at an elevated risk of attack.

Recommendation

Apply the provided patch a5580cb992f4f6c308c9ffe6442b2e76709db548 to remediate CVE-2026-7206.
Implement input validation and sanitization measures to prevent SQL injection attacks, focusing on the output_filename parameter of the extract_to_json function.
Monitor web server logs for suspicious requests targeting the extract_to_json function using the Sigma rule Detect Suspicious sqlite-mcp Requests.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability (CVE-2026-7199)

hello@craftedsignal.io — Tue, 28 Apr 2026 00:16:26 +0000

A SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. This vulnerability, assigned CVE-2026-7199, affects the /ajax.php?action=delete_product endpoint. Attackers can remotely exploit this vulnerability by manipulating the ID parameter. The vulnerability was published on April 27, 2026, and the exploit is now publicly available. Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Due to the ease of exploitation and the sensitive nature of pharmacy data, this vulnerability poses a significant risk to organizations using the affected system.

Attack Chain

The attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System 1.0.
The attacker crafts a malicious HTTP request targeting the /ajax.php?action=delete_product endpoint.
The attacker injects SQL code into the ID parameter of the request.
The server-side application fails to properly sanitize the input, passing the malicious SQL code to the database.
The database executes the injected SQL code, potentially allowing the attacker to bypass authentication, access sensitive data, modify database records, or execute system commands.
The attacker retrieves sensitive data, such as patient information, prescription details, or financial records.
The attacker may escalate privileges within the application and the underlying system.
The attacker can then exfiltrate the compromised data or maintain persistent access to the system for future attacks.

Impact

Successful exploitation of this SQL injection vulnerability can lead to a complete compromise of the Pharmacy Sales and Inventory System. This can result in the theft of sensitive patient data, financial records, and other confidential information. The vulnerability allows attackers to potentially modify or delete critical data, leading to disruption of pharmacy operations, financial losses, and regulatory penalties. As the exploit is publicly available, the likelihood of widespread exploitation is high, impacting any organization using the vulnerable version of the software.

Recommendation

Apply the Sigma rule Detecting SQL Injection Attempts via URI to identify potential exploitation attempts against the /ajax.php?action=delete_product endpoint.
Inspect web server logs for requests to /ajax.php?action=delete_product containing suspicious characters or SQL keywords in the ID parameter, as detected by the Detecting SQL Injection in Pharmacy System Sigma rule.
Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in the SourceCodester Pharmacy Sales and Inventory System, mitigating the underlying issue.
Restrict access to the database server and sensitive data to only authorized personnel, reducing the potential impact of a successful SQL injection attack.
Monitor database logs for suspicious activity, such as unauthorized data access or modification, which may indicate successful exploitation of CVE-2026-7199.

Online Lot Reservation System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 15:16:21 +0000

A SQL injection vulnerability, identified as CVE-2026-7131, has been discovered in code-projects Online Lot Reservation System version 1.0 and earlier. This vulnerability is located in the /loginuser.php file and can be exploited by manipulating the email and password arguments. Successful exploitation could allow a remote attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is remotely exploitable and a public exploit is available, increasing the risk of exploitation. Due to the sensitive nature of lot reservation data, organizations using this system are at risk of significant data compromise.

Attack Chain

An attacker identifies a vulnerable instance of code-projects Online Lot Reservation System version 1.0.
The attacker crafts a malicious HTTP request targeting the /loginuser.php file.
Within the request, the attacker injects SQL code into the email or password parameters.
The application fails to properly sanitize the input, passing the malicious SQL code to the database.
The database executes the injected SQL code, treating it as a legitimate query.
The attacker gains unauthorized access to the database, potentially reading sensitive information such as user credentials, reservation details, or financial data.
The attacker may modify or delete data within the database, disrupting the system’s functionality.
The attacker can potentially use the compromised database to pivot to other systems or escalate privileges within the network.

Impact

Successful exploitation of CVE-2026-7131 can result in unauthorized access to sensitive data within the Online Lot Reservation System. This could include user credentials, reservation details, and financial information. The vulnerability affects systems running code-projects Online Lot Reservation System up to version 1.0. Due to the availability of a public exploit, the risk of exploitation is elevated. A successful attack could lead to data breaches, financial loss, and reputational damage.

Recommendation

Apply appropriate input validation and sanitization techniques to prevent SQL injection attacks within the /loginuser.php file.
Deploy the Sigma rule Detect SQL Injection Attempt via Login to identify potential exploitation attempts against the /loginuser.php endpoint.
Monitor web server logs for suspicious requests targeting the /loginuser.php file, specifically looking for SQL syntax within the email or password parameters.
Review and harden database access controls to limit the impact of successful SQL injection attacks.
Implement a web application firewall (WAF) with rules to detect and block SQL injection attempts.
Disable Javascript to ensure complete website functionality.

itsourcecode Construction Management System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 02:16:01 +0000

A SQL injection vulnerability has been identified in itsourcecode Construction Management System version 1.0. The vulnerability resides within the /locations.php file and is triggered by manipulating the address argument. This allows a remote attacker to inject arbitrary SQL commands into the application’s database queries. This poses a significant risk as successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire system. The vulnerability has been assigned CVE-2026-7075, and a public exploit is available, increasing the likelihood of exploitation.

Attack Chain

Attacker identifies an instance of itsourcecode Construction Management System 1.0.
Attacker sends a crafted HTTP request to /locations.php with a malicious SQL payload embedded in the address parameter.
The application fails to properly sanitize the address parameter.
The unsanitized input is incorporated into an SQL query.
The database executes the attacker-controlled SQL query.
The attacker extracts sensitive data from the database.
Attacker may use the injected queries to modify or delete data.
The attacker compromises the confidentiality, integrity, and availability of the Construction Management System.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7075) can lead to unauthorized access to sensitive data, including user credentials, financial records, and project details stored within the Construction Management System database. Attackers could potentially modify or delete critical data, disrupt business operations, or gain complete control over the application and its underlying infrastructure. Given the public availability of the exploit, organizations using the affected version of itsourcecode Construction Management System are at immediate risk.

Recommendation

Deploy the provided Sigma rule to detect suspicious HTTP requests to /locations.php containing potentially malicious SQL syntax in the cs-uri-query (webserver logs).
Implement input validation and sanitization for the address parameter in /locations.php to prevent SQL injection attacks.
Monitor web server logs for unusual activity, especially requests targeting /locations.php with long or complex address parameters.

CodePanda Source canteen_management_system SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 01:16:16 +0000

A SQL injection vulnerability has been identified in CodePanda Source canteen_management_system version 1.0. The vulnerability resides in the /api/login.php file and is triggered by manipulating the Username argument. This allows a remote attacker to inject arbitrary SQL commands into the application’s database queries. Public exploits are available, increasing the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire application and its underlying database. The affected version is 1.0, and there are no known mitigations other than patching or taking the system offline.

Attack Chain

The attacker identifies a CodePanda Source canteen_management_system version 1.0 instance accessible over the network.
The attacker sends a crafted HTTP POST request to /api/login.php with a malicious SQL payload in the Username parameter.
The application fails to properly sanitize the Username input before incorporating it into an SQL query.
The injected SQL code is executed against the application’s database.
The attacker uses SQL injection techniques such as UNION SELECT to extract sensitive data from the database.
The extracted data, which may include usernames, passwords, and other confidential information, is sent back to the attacker.
The attacker uses the compromised credentials to gain unauthorized access to the application’s administrative interface.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to read sensitive data, modify existing records, or even execute arbitrary code on the database server. This could lead to a complete compromise of the application and its underlying data. Given the nature of a canteen management system, potential data breaches could include personal information of employees or customers, financial data related to transactions, and internal operational details. The impact may be amplified if the database stores other sensitive information, leading to significant financial and reputational damage.

Recommendation

Inspect web server logs for POST requests to /api/login.php containing SQL syntax within the Username parameter to detect potential exploitation attempts (see example rule below).
Apply input validation and sanitization to all user-supplied input, especially the Username parameter in /api/login.php, to prevent SQL injection.
Monitor database logs for unusual or unauthorized SQL queries originating from the application to identify potential breaches resulting from SQL injection.

SQL Injection Vulnerability in code-projects Inventory Management System 1.0

hello@craftedsignal.io — Mon, 27 Apr 2026 01:16:15 +0000

A SQL injection vulnerability has been identified in code-projects Inventory Management System version 1.0. The vulnerability resides within the Login component and is triggered by manipulating the Username argument. Successful exploitation allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized access to sensitive data, modification of existing records, or even complete database takeover. The vulnerability, identified as CVE-2026-7070, has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected Inventory Management System, potentially leading to data breaches and financial losses.

Attack Chain

The attacker identifies a login form within the code-projects Inventory Management System 1.0.
The attacker crafts a malicious SQL injection payload within the Username field of the login form.
The attacker submits the crafted payload through an HTTP POST request to the login endpoint.
The application fails to properly sanitize or validate the input provided in the Username field.
The unsanitized input is directly incorporated into an SQL query executed against the backend database.
The injected SQL code modifies the intended query, allowing the attacker to bypass authentication or extract data.
The database server executes the modified SQL query, potentially returning sensitive information to the attacker or allowing unauthorized data manipulation.

Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive inventory data, customer information, and financial records. Data modification can lead to incorrect inventory levels, disrupted operations, and financial losses. In a worst-case scenario, the attacker could gain complete control over the database server, leading to a full system compromise. This vulnerability impacts organizations using code-projects Inventory Management System 1.0, potentially affecting their reputation, financial stability, and customer trust.

Recommendation

Deploy the Sigma rule Detect SQL Injection Attempts in Web Logs to identify potential exploitation attempts targeting the Username field in web server logs.
Apply input validation and sanitization to the Username field in the Login component of code-projects Inventory Management System 1.0 to mitigate CVE-2026-7070.
Monitor web server logs for unusual SQL syntax or error messages indicative of SQL injection attempts based on the Detect SQL Injection Attempts in Web Logs Sigma rule.

KLiK SocialMediaWebsite SQL Injection Vulnerability (CVE-2026-7002)

hello@craftedsignal.io — Sun, 26 Apr 2026 14:30:00 +0000

KLiK SocialMediaWebsite version 1.0.1 and earlier is susceptible to a SQL injection vulnerability (CVE-2026-7002) affecting the Private Message Handler component. This vulnerability resides within the /includes/get_message_ajax.php file, and is triggered by manipulating the c_id argument. The attack can be launched remotely without authentication, potentially allowing unauthorized access to sensitive data within the application’s database. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential data breaches and unauthorized access to user information. The vulnerability was published on April 25, 2026.

Attack Chain

An attacker identifies a KLiK SocialMediaWebsite instance running version 1.0.1 or earlier.
The attacker crafts a malicious HTTP request targeting the /includes/get_message_ajax.php endpoint.
The attacker injects a SQL payload into the c_id parameter of the HTTP request.
The web server processes the request and passes the malicious SQL query to the database.
The database executes the injected SQL query without proper sanitization, leading to unintended data retrieval or modification.
The attacker retrieves sensitive information from the database, such as user credentials or private messages.
The attacker may use the stolen credentials to gain unauthorized access to user accounts.

Impact

Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data stored in the KLiK SocialMediaWebsite database. This could include user credentials, private messages, and other personal information. An attacker could potentially gain complete control over the application’s data, leading to data breaches, identity theft, and other malicious activities. Given the wide use of social media platforms, a successful attack could affect a large number of users.

Recommendation

Apply any available patches or updates for KLiK SocialMediaWebsite to address CVE-2026-7002.
Implement proper input validation and sanitization techniques to prevent SQL injection attacks.
Deploy the Sigma rule to detect attempts to exploit this SQL injection vulnerability by monitoring web server logs for suspicious requests targeting /includes/get_message_ajax.php with potentially malicious SQL payloads in the c_id parameter.
Monitor web server logs for HTTP requests to /includes/get_message_ajax.php containing SQL keywords (e.g., SELECT, UNION, UPDATE, INSERT, DELETE) in the c_id parameter.

OpenC3 COSMOS SQL Injection Vulnerability in QuestDB Time-Series Database

hello@craftedsignal.io — Thu, 23 Apr 2026 14:12:02 +0000

A SQL injection vulnerability has been identified in the OpenC3 COSMOS Time-Series Database (TSDB) component, which utilizes QuestDB. The vulnerability resides within the tsdb_lookup function in the cvt_model.rb file, where user-supplied input is directly incorporated into SQL queries without proper sanitization. An authenticated attacker with “tlm” permissions, which includes Admin, Operator, Viewer, or Runner roles, can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or deletion within the TSDB. The affected versions are OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Successful exploitation allows attackers to compromise the confidentiality, integrity, and availability of telemetry data stored within the COSMOS system.

Attack Chain

An attacker authenticates to the COSMOS system with a role that possesses “tlm” permissions (Admin, Operator, Viewer, or Runner).
The attacker crafts a malicious JSON-RPC request targeting the get_tlm_values endpoint.
Within the request body, the attacker injects a SQL payload into the start_time parameter, such as ' OR 1=1 --.
The tsdb_lookup function incorporates the unsanitized input into a SQL query.
The injected SQL payload manipulates the query logic, allowing the attacker to bypass intended restrictions.
The attacker can then exfiltrate all telemetry data within the database by manipulating the SQL query.
The attacker modifies the SQL payload to execute arbitrary commands, such as DROP TABLE statements.
The attacker successfully deletes historical data from the database, impacting data availability and system integrity.

Impact

Successful exploitation of this SQL injection vulnerability allows an attacker to perform unauthorized actions on the OpenC3 COSMOS Time-Series Database (TSDB). An attacker with “tlm” permissions can disclose sensitive telemetry data, modify existing data, or delete data altogether. The vulnerability impacts systems running OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Depending on the role of the compromised account and the specific SQL commands executed, an attacker could potentially cause significant disruption to operations relying on the integrity and availability of telemetry data.

Recommendation

Upgrade the rubygems/openc3 package to version 7.0.0-rc3 or later to remediate the SQL injection vulnerability.
Implement input sanitization on user-supplied data within the tsdb_lookup function in cvt_model.rb to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious OpenC3 Telemetry Requests” to identify potential exploitation attempts targeting the get_tlm_values endpoint.
Review and restrict “tlm” permissions to the get_tlm_values RPC endpoint according to the principle of least privilege, limiting access to only those users who require it.

Daptin SQL Injection Vulnerability in Aggregate API

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

Daptin versions prior to 0.11.4 are susceptible to a SQL injection vulnerability in the /aggregate/:typename endpoint. The vulnerability arises because the application fails to properly validate the column and group query parameters before passing them to goqu.L(). This function is used to build raw SQL literal expressions, thus bypassing parameterization and allowing attackers to inject arbitrary SQL code. Any authenticated user, regardless of privilege level, can exploit this vulnerability. This poses a significant risk as it enables unauthorized data extraction, disclosure of database internals, and cross-table data exfiltration. The vulnerability was reported on 2026-04-22 and assigned CVE-2026-41422.

Attack Chain

An attacker authenticates to the Daptin application with valid credentials.
The attacker crafts a malicious HTTP GET request targeting the /aggregate/:typename endpoint.
The attacker injects a SQL payload into the column or group query parameters. For example, column=(SELECT group_concat(email) FROM user_account) as leak.
The Daptin application receives the request and passes the unvalidated column parameter to the goqu.L() function in server/resource/resource_aggregate.go.
The goqu.L() function constructs a raw SQL query using the attacker-controlled input, bypassing any parameterization.
The malicious SQL query is executed against the database.
The attacker retrieves the injected SQL query’s result from the application’s response, which contains sensitive data.
The attacker exfiltrates the extracted data, potentially including user credentials, internal database schema details, or other confidential information.

Impact

Successful exploitation of this SQL injection vulnerability allows attackers to perform unauthorized data extraction, including sensitive information like user credentials. An attacker can also disclose database internals and exfiltrate data from multiple tables, even with low-privilege access. The impact includes potential data breaches, compliance violations, and reputational damage. The vulnerability was confirmed to allow extraction of user_account.email values by a non-admin user.

Recommendation

Upgrade Daptin to version 0.11.4 or later to patch the SQL injection vulnerability (CVE-2026-41422).
Deploy the provided Sigma rule Detect Daptin Aggregate API SQL Injection to identify exploitation attempts in web server logs.
If upgrading is not immediately feasible, implement input validation on the column and group parameters in the /aggregate/:typename endpoint, specifically blocking SQL keywords and functions to mitigate the risk.

ElectricSQL /v1/shape API SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

Electric, a Postgres sync engine, is vulnerable to SQL injection in the order_by parameter of the ElectricSQL /v1/shape API endpoint. This vulnerability exists in versions 1.1.12 to before 1.5.0. Exploitation allows any authenticated user to execute arbitrary SQL queries, leading to potential data breaches, data manipulation, and complete database compromise. Successful exploitation can result in unauthorized access to sensitive information, modification of critical data, and denial of service. Organizations using vulnerable versions of ElectricSQL are at high risk. The vulnerability is resolved in version 1.5.0.

Attack Chain

An attacker authenticates to the ElectricSQL application.
The attacker crafts a malicious HTTP request targeting the /v1/shape API endpoint.
The crafted request includes a SQL injection payload within the order_by parameter.
The ElectricSQL application processes the request without proper sanitization of the order_by parameter.
The malicious SQL payload is executed against the underlying PostgreSQL database.
The attacker leverages the SQL injection vulnerability to extract sensitive data, such as user credentials or proprietary information, using SELECT statements.
The attacker escalates privileges by manipulating database objects or creating new administrative accounts using CREATE and ALTER statements.
The attacker destroys data or renders the database unavailable using DELETE and DROP statements, achieving complete system compromise.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a complete compromise of the underlying PostgreSQL database. This may result in unauthorized access to sensitive data, including customer information, financial records, and intellectual property. Attackers could also modify or delete data, leading to data loss, service disruption, and reputational damage. Given the potential for complete data destruction, organizations are urged to remediate this vulnerability immediately.

Recommendation

Upgrade ElectricSQL to version 1.5.0 or later to patch the vulnerability (CVE-2026-40906).
Implement input validation and sanitization for all user-supplied data, especially in the order_by parameter of the /v1/shape API.
Monitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the order_by parameter of requests to the /v1/shape API to enable the “Detect Suspicious SQL Injection Attempt in ElectricSQL API Request” rule.
Deploy the Sigma rule “Detect Suspicious SQL Injection Error Messages” to identify potential exploitation attempts based on error responses from the database server.

Multiple Vulnerabilities in OpenBao Allow for Security Bypass, DoS, and SQL Injection

hello@craftedsignal.io — Wed, 22 Apr 2026 07:39:10 +0000

A security advisory highlights multiple vulnerabilities in OpenBao, a secrets management tool. Successful exploitation of these vulnerabilities could allow an attacker to bypass security measures, leading to unauthorized access or privilege escalation. Additionally, an attacker could leverage these flaws to trigger a denial-of-service (DoS) condition, disrupting the availability of the service. Finally, the advisory indicates a SQL injection vulnerability exists, potentially allowing attackers to read, modify, or delete sensitive data within the OpenBao database. Defenders should prioritize patching or mitigating these vulnerabilities to prevent potential attacks and maintain the confidentiality, integrity, and availability of their secrets management infrastructure.

Attack Chain

The attacker identifies a vulnerable OpenBao instance exposed to a network.
The attacker crafts a malicious SQL query designed to exploit the SQL injection vulnerability.
The attacker sends the crafted SQL query to the vulnerable OpenBao instance through a standard API endpoint.
The OpenBao instance processes the malicious SQL query, inadvertently executing attacker-controlled SQL commands.
The attacker uses the SQL injection vulnerability to bypass authentication or authorization checks, gaining unauthorized access to sensitive data or administrative functions.
Alternatively, the attacker exploits the DoS vulnerability by sending a specially crafted request.
The OpenBao instance becomes overwhelmed, consuming excessive resources and becoming unresponsive.
Legitimate users are unable to access OpenBao, leading to service disruption.

Impact

Successful exploitation of these vulnerabilities could lead to significant consequences. An attacker could gain unauthorized access to sensitive secrets, such as API keys, passwords, and certificates, which could then be used to compromise other systems. A successful DoS attack could disrupt critical business operations that rely on OpenBao for secrets management. The impact would depend on the scope of secrets managed by OpenBao and the criticality of the affected services.

Recommendation

Investigate and remediate the identified SQL injection vulnerabilities in OpenBao by applying the necessary patches or upgrades as soon as they are available from the vendor.
Apply rate limiting and input validation to OpenBao API endpoints to mitigate the potential for denial-of-service attacks.
Monitor web server logs for suspicious SQL queries and unusual API request patterns using the Sigma rule Detect Suspicious OpenBao SQL Injection.
Implement network segmentation and access controls to limit the blast radius in case of a successful compromise.
Monitor OpenBao’s resource consumption (CPU, memory, network) for anomalies that could indicate a denial-of-service attack using the Sigma rule Detect OpenBao DoS Attempt.

Metasoft MetaCRM SQL Injection Vulnerability (CVE-2026-6629)

hello@craftedsignal.io — Mon, 20 Apr 2026 11:16:18 +0000

A SQL injection vulnerability, identified as CVE-2026-6629, has been discovered in Metasoft 美特软件 MetaCRM versions up to 6.4.0. The vulnerability resides within the sql.jsp file, specifically affecting the Statement.executeUpdate function of the Interface component. The vulnerability allows remote attackers to inject arbitrary SQL commands by manipulating the sql argument. Public exploit code is available, increasing the risk of exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat to organizations using the affected MetaCRM versions, potentially leading to data breaches, system compromise, and unauthorized access.

Attack Chain

An attacker identifies a Metasoft MetaCRM instance running a vulnerable version (<= 6.4.0).
The attacker crafts a malicious HTTP request targeting the sql.jsp file.
Within the HTTP request, the attacker manipulates the sql parameter to inject SQL code.
The crafted SQL injection payload is passed to the Statement.executeUpdate function.
The application executes the attacker-controlled SQL query against the underlying database.
The database server executes the malicious SQL command.
The attacker can read sensitive data from the database, modify existing data, or execute administrative commands.
The attacker gains unauthorized access to the system, potentially leading to complete system compromise or data exfiltration.

Impact

Successful exploitation of this SQL injection vulnerability can lead to a range of severe consequences, including unauthorized data access, data modification, and complete system compromise. Attackers could steal sensitive customer data, financial records, or intellectual property. They might also be able to modify existing data to cause financial losses or disrupt business operations. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available. The CVSS score of 7.3 reflects the high potential impact of this vulnerability.

Recommendation

Inspect web server logs for suspicious POST requests targeting sql.jsp with potentially malicious SQL queries in the sql parameter to detect exploitation attempts. Reference the Sigma rule Detect-Metasoft-MetaCRM-SQL-Injection.
Deploy the Sigma rule Detect-Metasoft-MetaCRM-SQL-Error to detect SQL errors that may indicate injection attempts.
Apply input validation and sanitization to the sql parameter in sql.jsp to prevent SQL injection. This requires modifying the application code.
Monitor network traffic for unusual database activity originating from the web server, such as large data transfers or unauthorized access attempts.

Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5964)

hello@craftedsignal.io — Mon, 20 Apr 2026 08:16:10 +0000

EasyFlow .NET, a product developed by Digiwin, is affected by a critical SQL Injection vulnerability (CVE-2026-5964). This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands into the application’s database queries. This can lead to the unauthorized reading, modification, or deletion of sensitive database contents. The vulnerability poses a significant risk, as it requires no prior authentication and can be exploited remotely. Public reports detailing the vulnerability were released in April 2026, and exploitation attempts are anticipated to increase. Defenders should prioritize patching and implementing detection mechanisms to mitigate potential exploitation.

Attack Chain

An unauthenticated attacker identifies an EasyFlow .NET instance exposed to the internet.
The attacker crafts a malicious HTTP request containing SQL injection payloads within a vulnerable parameter.
The EasyFlow .NET application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL command, potentially revealing sensitive data.
The attacker extracts data from the database, such as user credentials or proprietary information.
The attacker leverages the SQL injection to modify database records, such as escalating privileges or injecting malicious code.
The attacker may delete data from the database, leading to denial of service or data loss.

Impact

Successful exploitation of this SQL Injection vulnerability allows unauthenticated attackers to read, modify, and delete data within the EasyFlow .NET database. This can lead to the compromise of sensitive information, including user credentials, financial data, and proprietary business information. Modified data can disrupt business operations or facilitate further attacks. Data deletion can cause significant data loss and system instability. Due to the critical nature of the vulnerability and the ease of exploitation, organizations using EasyFlow .NET are at high risk.

Recommendation

Apply the patch or upgrade to the latest version of EasyFlow .NET provided by Digiwin to remediate CVE-2026-5964.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts in HTTP Requests” to identify exploitation attempts targeting web servers.
Implement input validation and parameterized queries to prevent SQL injection vulnerabilities in web applications.
Monitor web server logs for suspicious HTTP requests containing common SQL injection keywords.

Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5963)

hello@craftedsignal.io — Mon, 20 Apr 2026 08:16:10 +0000

Digiwin EasyFlow .NET is susceptible to a critical SQL Injection vulnerability (CVE-2026-5963). This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands directly into the application’s database queries. The vulnerability allows attackers to read, modify, or delete sensitive data within the EasyFlow .NET database, potentially leading to complete compromise of the application and its underlying data. Given the nature of SQL injection, this vulnerability could be exploited by attackers with minimal technical knowledge, making it a significant threat to organizations using EasyFlow .NET. The vulnerability was disclosed on April 20, 2026, and immediate patching or mitigation is strongly advised.

Attack Chain

An unauthenticated attacker identifies a vulnerable EasyFlow .NET endpoint exposed to the internet.
The attacker crafts a malicious HTTP request containing a SQL injection payload within a parameter expected by the endpoint.
The EasyFlow .NET application fails to properly sanitize or validate the input, passing the malicious SQL query to the database.
The database executes the attacker-controlled SQL query.
The attacker extracts sensitive data from the database by using UNION SELECT statements, potentially revealing usernames, passwords, or confidential business information.
Alternatively, the attacker modifies data within the database using UPDATE statements, potentially altering application configuration or user privileges.
The attacker deletes data from the database using DELETE statements, potentially causing denial-of-service or data loss.
The attacker achieves complete control over the EasyFlow .NET application and its data, potentially using this access to pivot to other internal systems.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to read, modify, or delete arbitrary data within the EasyFlow .NET database. This can lead to the exposure of sensitive customer information, financial data, or intellectual property. Attackers could also modify application configurations, escalate privileges, or cause a complete denial of service. Given the critical nature of business process management applications like EasyFlow, a successful attack could result in significant financial losses, reputational damage, and regulatory penalties.

Recommendation

Apply the security patch or update provided by Digiwin to address CVE-2026-5963.
Implement strong input validation and sanitization techniques on all user-supplied data within EasyFlow .NET to prevent SQL injection attacks, referencing CWE-89.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts in Web Logs” to monitor for exploitation attempts against EasyFlow .NET web server logs.
Monitor network traffic for suspicious database activity originating from EasyFlow .NET servers.
Review and restrict database user privileges to follow the principle of least privilege.

WeGIA SQL Injection Vulnerability (CVE-2026-40285)

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

WeGIA, a web manager for charitable institutions, is susceptible to a SQL injection vulnerability affecting versions prior to 3.6.10. This flaw, identified as CVE-2026-40285, resides in the dao/memorando/UsuarioDAO.php file. The vulnerability stems from the insecure handling of the cpf_usuario POST parameter within the DespachoControle::verificarDespacho() function, where the extract($_REQUEST) function overwrites the session-stored user identity. An attacker can then manipulate the cpf_usuario value, which is subsequently interpolated directly into a raw SQL query. This allows an authenticated user to execute arbitrary SQL queries with the privileges of an arbitrary user, potentially gaining unauthorized access to sensitive data. WeGIA version 3.6.10 addresses and resolves this critical vulnerability.

Attack Chain

An attacker authenticates to the WeGIA web application.
The attacker crafts a malicious HTTP POST request targeting the endpoint associated with DespachoControle::verificarDespacho().
The crafted POST request includes the cpf_usuario parameter with a SQL injection payload.
The extract($_REQUEST) function processes the POST data, overwriting the legitimate session-stored user identity with the attacker-controlled cpf_usuario value.
The application constructs a raw SQL query, directly interpolating the malicious cpf_usuario value into the query string without proper sanitization.
The database executes the crafted SQL query, effectively querying the database as an arbitrary user specified by the attacker in the cpf_usuario parameter.
The application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information.
The attacker can leverage the SQL injection to perform unauthorized data retrieval, modification, or deletion within the WeGIA application.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-40285) allows attackers to bypass authentication and access sensitive data within the WeGIA application. This could lead to the compromise of user accounts, financial records, or other confidential information managed by charitable institutions using WeGIA. The impact could range from data breaches and financial losses to reputational damage and legal repercussions for the affected organizations. The CVSS v3.1 base score of 8.8 indicates a high level of severity.

Recommendation

Upgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40285.
Deploy the following Sigma rule to detect exploitation attempts by monitoring for POST requests containing potentially malicious SQL injection payloads in the cpf_usuario parameter.
Implement input validation and sanitization measures for all user-supplied data, especially within the DespachoControle::verificarDespacho() function to prevent future SQL injection vulnerabilities.
Review web server logs for suspicious POST requests targeting WeGIA endpoints to identify potential exploitation attempts.

PraisonAI Multiple Backends Vulnerable to SQL Injection via Unvalidated Table Prefix

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

PraisonAI, a software application, contains a critical SQL injection vulnerability affecting nine of its conversation store backends, including MySQL, PostgreSQL, and others. The vulnerability stems from the improper handling of the table_prefix parameter, which is passed directly into SQL queries without adequate validation. Specifically, backends such as MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB are affected. In addition, the PostgreSQL backend is vulnerable due to the unvalidated schema parameter. This flaw allows an attacker to inject arbitrary SQL commands, potentially gaining unauthorized access to sensitive data. The incomplete fix for CVE-2026-40315 only addressed the SQLite backend, leaving other backends exposed. This vulnerability exists in PraisonAI versions 4.5.148 and earlier, as well as PraisonAI Agents versions 1.6.7 and earlier.

Attack Chain

An attacker identifies a PraisonAI instance where the table_prefix or schema (PostgreSQL) parameter is derived from external input (e.g., API request, user-modifiable configuration).
The attacker crafts a malicious table_prefix or schema string containing SQL injection payload (e.g., “x’; DROP TABLE users; –”).
The attacker injects the malicious table_prefix or schema via the vulnerable input vector.
The PraisonAI application receives the crafted table_prefix or schema and incorporates it into a dynamically generated SQL query without proper sanitization.
The application executes the malicious SQL query against the database.
The attacker’s injected SQL commands are executed, potentially allowing them to read, modify, or delete data within the database.
The attacker gains unauthorized access to sensitive data, such as user credentials, financial information, or other confidential data.
The attacker may escalate privileges, compromise other systems, or perform further malicious activities within the affected environment.

Impact

Successful exploitation of this vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The attacker can read sensitive data, modify existing records, inject malicious code, or even drop entire tables. This can result in significant data loss, financial damage, and reputational harm for affected organizations. This vulnerability is exploitable in any deployment where the table_prefix is derived from external input, such as in multi-tenant setups or API-driven configurations. The PostgreSQL schema parameter provides an additional injection point, further expanding the attack surface.

Recommendation

Apply input validation and sanitization to the table_prefix parameter in all database backends, mirroring the fix implemented for sqlite.py as described in the overview.
Apply input validation and sanitization to the schema parameter in the PostgreSQL backend, as noted in the overview.
Deploy the Sigma rule Detect Malicious Table Prefix to detect attempts to exploit this vulnerability in MySQL and PostgreSQL backends, as detailed below.
Upgrade PraisonAI to a version that includes proper input validation for table_prefix and schema parameters, targeting versions later than 4.5.148 for PraisonAI and later than 1.6.7 for PraisonAI Agents.

YesWiki Authenticated SQL Injection Vulnerability

hello@craftedsignal.io — Sat, 18 Apr 2026 01:00:30 +0000

YesWiki versions 4.6.0 and earlier are vulnerable to SQL injection in the bazar module. This vulnerability exists in tools/bazar/services/EntryManager.php within the formatDataBeforeSave() function. The $data['id_fiche'] value, derived from the $_POST['id_fiche'] parameter, is directly concatenated into a raw SQL query without proper sanitization. An authenticated attacker can exploit this by sending a crafted POST request to the /api/entries/{formId} endpoint. Successful exploitation enables time-based blind SQL injection, potentially leading to complete database compromise. The vulnerability was confirmed using a Docker PoC demonstrating the ability to induce a time delay using the SLEEP() function within the injected SQL.

Attack Chain

Attacker authenticates to the YesWiki application as any user. This requires a valid wikini_session cookie.
Attacker crafts a POST request to /api/entries/{formId}, where {formId} is the ID of an existing bazar form.
The POST request includes the id_fiche parameter with a malicious SQL payload, such as ' OR SLEEP(3) OR '.
ApiController::createEntry() processes the request and calls isEntry($_POST['id_fiche']).
Since the injected SQL will likely not correspond to an existing entry, the create() method is invoked.
The create() method calls formatDataBeforeSave(), which contains the SQL injection vulnerability at line 704 in EntryManager.php.
The injected SQL payload is executed by the database server via dbService->loadSingle(), without proper escaping or parameterization.
If successful, the attacker can extract sensitive information from the database, such as usernames, passwords, and other confidential data. They can also modify data within the database.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the complete compromise of the YesWiki database. This includes the potential to access and exfiltrate sensitive data, such as user credentials, configuration details, and business-critical information. Attackers can also modify or delete data, leading to data integrity issues and service disruption. Since any authenticated user can trigger the vulnerability, the impact is widespread. The vulnerability affects composer/yeswiki/yeswiki versions 4.6.0 and earlier.

Recommendation

Apply the provided patch in tools/bazar/services/EntryManager.php by escaping the $data['id_fiche'] value before using it in the SQL query (see Proposed Fix in Content section).
Deploy the Sigma rule “Detect YesWiki SQL Injection Attempt via API Entries” to detect attempts to exploit this vulnerability via suspicious id_fiche POST data.
Monitor web server logs for POST requests to /api/entries/* with unusually long or complex id_fiche parameters, as this could indicate a SQL injection attempt.
Review and audit all database queries within the YesWiki application to identify and remediate any other potential SQL injection vulnerabilities.

WC Lovers WCFM Marketplace SQL Injection Vulnerability (CVE-2025-63029)

hello@craftedsignal.io — Wed, 15 Apr 2026 17:17:00 +0000

CVE-2025-63029 describes an SQL Injection vulnerability affecting the WC Lovers WCFM (WooCommerce Frontend Manager) Marketplace WordPress plugin. This vulnerability, present in versions up to and including 3.7.1, stems from improper neutralization of special elements within SQL commands. An attacker exploiting this flaw can inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and the WCFM Marketplace plugin, this vulnerability poses a significant risk to e-commerce websites and their associated sensitive information. Successful exploitation could result in compromised customer data, financial losses, and reputational damage.

Attack Chain

The attacker identifies a vulnerable WCFM Marketplace instance running a version <= 3.7.1.
The attacker crafts a malicious HTTP request containing SQL injection payloads in a vulnerable parameter.
The WCFM Marketplace plugin fails to properly sanitize the attacker-controlled input.
The unsanitized input is incorporated into an SQL query executed against the WordPress database.
The injected SQL code modifies the intended query logic.
The database server executes the attacker’s malicious SQL query.
The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, financial information, or product details.
The attacker may modify or delete data, escalate privileges, or potentially gain control of the WordPress site.

Impact

Successful exploitation of CVE-2025-63029 can have severe consequences. An attacker could gain complete control over the affected WordPress site’s database. This can lead to the theft of sensitive customer data (e.g., usernames, passwords, addresses, payment information), modification of product listings and pricing, or even complete site defacement or takeover. The number of potentially affected sites is substantial, considering the popularity of the WCFM Marketplace plugin.

Recommendation

Upgrade the WC Lovers WCFM Marketplace plugin to the latest available version, which includes a patch for CVE-2025-63029.
Deploy the Sigma rule “Detect Suspicious WCFM Marketplace SQL Injection Attempts” to your SIEM to identify potential exploitation attempts targeting this vulnerability.
Monitor web server logs for suspicious HTTP requests containing potential SQL injection payloads targeting the WCFM Marketplace plugin.
Review and harden database access controls to minimize the impact of potential SQL injection attacks.

Krayin CRM v2.2.x SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

Krayin CRM v2.2.x is susceptible to a SQL injection vulnerability identified as CVE-2026-38528. The vulnerability resides in the /Lead/LeadDataGrid.php script, specifically within the rotten_lead parameter. An attacker could exploit this vulnerability by injecting malicious SQL queries, potentially gaining unauthorized access to sensitive information stored within the CRM database. The CVSS v3.1 score is 7.1, indicating a high severity level. Successful exploitation requires a low level of privileges. This vulnerability was reported in April 2026 and could impact organizations using the affected Krayin CRM version, leading to data breaches and potential compromise of customer information.

Attack Chain

An attacker identifies a vulnerable Krayin CRM v2.2.x instance.
The attacker crafts a malicious HTTP request targeting /Lead/LeadDataGrid.php.
The HTTP request includes a SQL injection payload within the rotten_lead parameter.
The Krayin CRM application processes the request without proper sanitization of the rotten_lead parameter.
The injected SQL query is executed against the CRM database.
The attacker retrieves sensitive data from the database, such as customer details, user credentials, or financial information.
The attacker may use the compromised data for further malicious activities, such as identity theft or financial fraud.

Impact

Successful exploitation of this SQL injection vulnerability could lead to the unauthorized disclosure of sensitive customer data, financial records, and internal CRM data. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. While the exact number of potential victims is unknown, any organization using Krayin CRM v2.2.x is at risk.

Recommendation

Apply any available patches or updates from the vendor to address CVE-2026-38528.
Implement input validation and sanitization on the rotten_lead parameter within /Lead/LeadDataGrid.php to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Krayin CRM SQL Injection Attempt” to your SIEM and tune for your environment.
Monitor web server logs for suspicious requests targeting /Lead/LeadDataGrid.php with potentially malicious SQL syntax.
Implement strong database access controls to limit the impact of successful SQL injection attacks.

SQL Injection Vulnerability in anirudhkannan Grocery Store Management System 1.0 (CVE-2025-63939)

hello@craftedsignal.io — Tue, 14 Apr 2026 16:16:33 +0000

CVE-2025-63939 is a SQL injection vulnerability found in anirudhkannan Grocery Store Management System version 1.0. The vulnerability resides in the /Grocery/search_products_itname.php script, specifically related to improper input handling of the sitem_name POST parameter. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the sitem_name parameter, potentially leading to unauthorized access to the database, data exfiltration, modification, or even complete system compromise. The vulnerable software is a web application typically deployed on web servers, potentially exposing a wide range of grocery stores and related businesses to this critical flaw. This vulnerability was published on 2026-04-14.

Attack Chain

An attacker identifies an instance of anirudhkannan Grocery Store Management System 1.0 running on a web server.
The attacker crafts a malicious HTTP POST request targeting the /Grocery/search_products_itname.php endpoint.
The crafted POST request includes the sitem_name parameter, containing SQL injection payload.
The web server receives the malicious request and passes the sitem_name value to the vulnerable SQL query without proper sanitization or escaping.
The injected SQL code is executed by the database server, allowing the attacker to manipulate the database.
The attacker uses SQL injection techniques (e.g., UNION SELECT, SLEEP()) to extract sensitive data, such as user credentials, product information, or financial records.
Depending on database privileges, the attacker could modify existing data (e.g., changing product prices, altering inventory levels) or insert new data (e.g., creating rogue administrator accounts).
The attacker achieves complete control over the database, potentially leading to full system compromise, data exfiltration, or denial-of-service.

Impact

Successful exploitation of CVE-2025-63939 can have severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personal information, payment details, and order history. This can lead to financial losses, reputational damage, and legal liabilities for the affected grocery store. The attacker could also manipulate product information, alter pricing, or disrupt business operations. In a worst-case scenario, the attacker could gain complete control of the database server, leading to full system compromise and significant financial and operational losses. Given the widespread use of vulnerable versions, a large number of grocery stores using this software are potentially at risk.

Recommendation

Apply the necessary patches or updates provided by the vendor to address CVE-2025-63939. If a patch is unavailable, consider implementing a web application firewall (WAF) rule to filter out malicious SQL injection attempts targeting the /Grocery/search_products_itname.php endpoint.
Deploy the Sigma rule Detecting SQL Injection Attempts via sitem_name Parameter to your SIEM to identify potential exploitation attempts.
Review and harden database access controls to limit the impact of successful SQL injection attacks.
Monitor web server logs for suspicious POST requests to /Grocery/search_products_itname.php containing potentially malicious SQL syntax, as detected by Detecting SQL Injection Attempts via sitem_name Parameter.
Inspect traffic for connections to the URL https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 to identify potential reconnaissance activity.

SAP Business Planning and Consolidation and Business Warehouse SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 00:16:06 +0000

CVE-2026-27681 highlights a critical security flaw within SAP Business Planning and Consolidation and SAP Business Warehouse. This vulnerability stems from insufficient authorization checks, which allows an authenticated user to inject and execute arbitrary SQL commands. The vulnerability was published on 2026-04-13. An attacker can leverage this flaw to perform unauthorized actions such as reading sensitive data, modifying critical system configurations, and deleting essential information. The successful exploitation of CVE-2026-27681 can lead to significant disruption of business operations, data breaches, and potential financial losses. The scope of impact is broad, affecting organizations relying on these SAP solutions for their planning, consolidation, and data warehousing needs. Defenders should prioritize patching and mitigating this vulnerability to prevent potential exploitation.

Attack Chain

An attacker gains valid credentials for SAP Business Planning and Consolidation or SAP Business Warehouse.
The attacker identifies input fields or interfaces within the SAP application that are vulnerable to SQL injection.
The attacker crafts malicious SQL statements designed to bypass authorization checks.
The attacker injects the crafted SQL statements into the vulnerable input fields or interfaces.
The SAP application executes the attacker-supplied SQL statements against the underlying database.
The attacker reads sensitive data from database tables, including user credentials, financial records, or proprietary information.
The attacker modifies existing data within the database to manipulate system configurations, grant elevated privileges, or disrupt business processes.
The attacker deletes critical database records, causing data loss, system instability, and denial of service.

Impact

Successful exploitation of CVE-2026-27681 can have severe consequences for affected organizations. The ability to read, modify, and delete database data can lead to data breaches, financial fraud, and disruption of critical business processes. The vulnerability allows attackers to gain unauthorized access to sensitive information, manipulate system configurations, and cause data loss. This can result in significant financial losses, reputational damage, and regulatory penalties. Organizations relying on SAP Business Planning and Consolidation and SAP Business Warehouse should prioritize patching this vulnerability to prevent potential exploitation.

Recommendation

Apply the security patch provided by SAP SE as described in SAP Note 3719353 to remediate CVE-2026-27681 immediately.
Monitor SAP application logs for suspicious SQL queries or unauthorized database access attempts to detect potential exploitation of CVE-2026-27681.
Implement strong input validation and sanitization measures to prevent SQL injection attacks in SAP Business Planning and Consolidation and SAP Business Warehouse.
Deploy the Sigma rule “Detect Suspicious SAP SQL Injection Attempts” to identify potential exploitation attempts.

SQL Injection Vulnerability in Faculty Management System

hello@craftedsignal.io — Mon, 13 Apr 2026 07:16:51 +0000

The code-projects Faculty Management System 1.0 is vulnerable to SQL injection (CVE-2026-6167) within the /subject-print.php file. The vulnerability stems from improper sanitization of the ID argument, allowing a remote attacker to inject arbitrary SQL commands. This exploit has been publicly disclosed, increasing the risk of widespread exploitation. Given the sensitive nature of data managed by faculty management systems, successful exploitation could lead to significant data breaches, system compromise, and disruption of academic operations. The lack of required authentication to trigger the vulnerability makes it particularly dangerous.

Attack Chain

The attacker identifies a vulnerable instance of code-projects Faculty Management System 1.0 accessible over the internet.
The attacker crafts a malicious HTTP GET request targeting the /subject-print.php endpoint.
The malicious request includes a modified ID parameter containing SQL injection payloads. For example, ID=1' OR '1'='1.
The web server processes the request and passes the unsanitized ID parameter to the underlying SQL database.
The injected SQL code is executed by the database, potentially allowing the attacker to bypass authentication or access unauthorized data.
The attacker leverages the SQL injection to extract sensitive data from the database, such as usernames, passwords, student records, or financial information.
The attacker may use the extracted credentials to gain administrative access to the application.
Finally, the attacker could modify or delete data within the database, exfiltrate data, or pivot to other systems within the network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-6167) in code-projects Faculty Management System 1.0 can lead to severe consequences. An attacker could potentially access and exfiltrate sensitive student and faculty data, modify grades, compromise user accounts, and disrupt academic operations. The public availability of the exploit increases the likelihood of widespread attacks targeting vulnerable systems, potentially impacting numerous educational institutions.

Recommendation

Inspect web server logs for suspicious HTTP requests targeting /subject-print.php with unusual characters or SQL keywords in the ID parameter to detect potential exploitation attempts. Use the provided Sigma rule to facilitate this.
Implement a web application firewall (WAF) rule to block requests containing SQL injection payloads targeting /subject-print.php.
Apply input validation and sanitization to the ID parameter in /subject-print.php to prevent SQL injection, effectively patching CVE-2026-6167.
Monitor database logs for unusual queries originating from the web application server that could indicate successful SQL injection.

SQL Injection Vulnerability in Lost and Found Thing Management 1.0

hello@craftedsignal.io — Mon, 13 Apr 2026 06:16:06 +0000

A critical SQL injection vulnerability has been identified in code-projects Lost and Found Thing Management version 1.0, tracked as CVE-2026-6163. This vulnerability resides within the /catageory.php file and can be exploited by remotely manipulating the cat parameter. Due to the application’s failure to properly sanitize user-supplied input, an attacker can inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a vulnerable instance of Lost and Found Thing Management 1.0.
The attacker crafts a malicious HTTP GET request targeting the /catageory.php endpoint.
The crafted request includes a SQL injection payload within the cat parameter.
The web server receives the request and passes the unsanitized cat parameter to the application’s database query.
The injected SQL code is executed within the database context.
Depending on the injected code, the attacker can read sensitive data, modify existing records, or delete information from the database.
The database server processes the malicious SQL query and returns the output.
The application returns the modified output to the attacker.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-6163) could allow a remote attacker to compromise the affected Lost and Found Thing Management 1.0 application. This may lead to unauthorized access to sensitive information stored within the database, such as user credentials, personal details of individuals who have lost or found items, and information about the items themselves. The attacker can potentially modify or delete records, leading to data corruption or denial of service. Due to the availability of a public exploit, the potential impact is significant for any organization running this vulnerable software.

Recommendation

Apply available patches or updates provided by the vendor (code-projects.org) to remediate the SQL injection vulnerability in /catageory.php as soon as they become available.
Implement input validation and sanitization on all user-supplied data, particularly the cat parameter in /catageory.php, to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts via URI” to detect potential exploitation attempts against the /catageory.php endpoint.
Review and restrict database user privileges to follow the principle of least privilege, limiting the impact of successful SQL injection attacks.
Monitor web server logs for suspicious activity related to the /catageory.php endpoint, such as unusual characters or SQL keywords in the cat parameter.

Simple ChatBox Unauthenticated SQL Injection Vulnerability (CVE-2026-6161)

hello@craftedsignal.io — Mon, 13 Apr 2026 05:16:05 +0000

A critical SQL injection vulnerability, identified as CVE-2026-6161, has been discovered in Simple ChatBox version 1.0 and earlier. This flaw resides in the /chatbox/insert.php file, which is responsible for handling chat message insertion. A remote attacker can exploit this vulnerability by injecting malicious SQL code into the msg parameter of an HTTP request, without needing authentication. The attacker’s malicious SQL commands are then executed against the application database. The exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation could lead to unauthorized data access, modification, or even complete database takeover. Due to the ease of exploitation and potential impact, this vulnerability poses a significant threat to systems running vulnerable versions of Simple ChatBox.

Attack Chain

The attacker identifies a Simple ChatBox installation running version 1.0 or earlier.
The attacker crafts a malicious HTTP POST request targeting the /chatbox/insert.php endpoint.
The attacker injects SQL code into the msg parameter of the POST request. This code could be designed to extract data, modify existing data, or insert new data into the database.
The web server receives the malicious HTTP request and passes the msg parameter to the vulnerable PHP script.
The /chatbox/insert.php script fails to properly sanitize the msg parameter before using it in an SQL query.
The injected SQL code is executed against the Simple ChatBox database, granting the attacker unauthorized access.
The attacker may use this access to read sensitive data, such as user credentials or private messages.
The attacker could also modify data to deface the chatbox or inject malicious content.

Impact

Successful exploitation of CVE-2026-6161 can lead to a range of severe consequences. An attacker can gain unauthorized access to the Simple ChatBox database, potentially compromising sensitive information such as user credentials, private messages, and other application data. This can result in data breaches, identity theft, and reputational damage. Furthermore, the attacker could modify or delete data, leading to data loss or service disruption. In the worst-case scenario, the attacker could gain complete control over the database server, potentially compromising other applications or systems hosted on the same server. Due to the public availability of the exploit, unpatched Simple ChatBox installations are at significant risk of being targeted.

Recommendation

Apply appropriate input validation and sanitization techniques to the msg parameter within the /chatbox/insert.php file to prevent SQL injection (reference: CVE-2026-6161).
Deploy the provided Sigma rule to detect suspicious HTTP requests targeting /chatbox/insert.php with potentially malicious SQL payloads (reference: the Sigma rule “Detect Simple Chatbox SQL Injection Attempt”).
Implement database access controls to limit the privileges of the Simple ChatBox application to the minimum required for its operation, mitigating potential damage from successful SQL injection (reference: CVE-2026-6161).

MyT-PM 1.5.1 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:34 +0000

MyT-PM 1.5.1 is susceptible to an SQL injection vulnerability (CVE-2019-25713) that enables authenticated attackers to execute arbitrary SQL queries. This vulnerability exists due to insufficient input sanitization of the Charge[group_total] parameter. By sending specially crafted POST requests to the /charge/admin endpoint, an attacker can inject malicious SQL code, potentially leading to sensitive data extraction, data manipulation, or other unauthorized actions. This vulnerability poses a significant risk to organizations using MyT-PM 1.5.1 as it could compromise the integrity and confidentiality of their data.

Attack Chain

An attacker authenticates to the MyT-PM 1.5.1 application.
The attacker crafts a malicious POST request targeting the /charge/admin endpoint.
Within the POST request, the attacker injects SQL code into the Charge[group_total] parameter.
The application processes the request without properly sanitizing the Charge[group_total] parameter.
The injected SQL code is executed against the underlying database.
The attacker leverages the SQL injection to extract sensitive data (e.g., user credentials, financial information) using error-based, time-based blind, or stacked query payloads.
The attacker may further manipulate data within the database, potentially altering records or creating new entries.
The attacker achieves complete control over the database, potentially leading to full system compromise.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive information, such as user credentials, financial records, and other confidential data stored within the MyT-PM database. Attackers may also be able to modify or delete data, leading to data integrity issues and potential disruption of business operations. This could result in financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

Apply patches or upgrade to a secure version of MyT-PM that addresses CVE-2019-25713.
Deploy the provided Sigma rule to detect potentially malicious requests containing SQL injection attempts targeting the /charge/admin endpoint and the Charge[group_total] parameter.
Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in MyT-PM and other web applications.
Monitor web server logs for suspicious POST requests to /charge/admin with unusual characters or SQL keywords in the Charge[group_total] parameter.

eBrigade ERP 4.5 SQL Injection Vulnerability (CVE-2019-25707)

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:33 +0000

eBrigade ERP 4.5 is susceptible to an SQL injection vulnerability (CVE-2019-25707) that enables authenticated attackers to execute arbitrary SQL queries. The vulnerability is located in the pdf.php script and is triggered via the ‘id’ parameter. By injecting malicious SQL code into this parameter through a GET request, an attacker can potentially extract sensitive information from the database, including table names and schema details. This vulnerability poses a significant risk to organizations using eBrigade ERP 4.5, as successful exploitation could lead to data breaches, compromised credentials, and other malicious activities. The vulnerability was published on 2026-04-12.

Attack Chain

An attacker gains valid credentials for eBrigade ERP 4.5 either through credential stuffing or some other credential compromise technique.
The attacker crafts a malicious SQL payload designed to extract sensitive information or manipulate the database.
The attacker constructs a GET request targeting the pdf.php endpoint, embedding the malicious SQL payload within the ‘id’ parameter (e.g., pdf.php?id=1' UNION SELECT ...).
The server-side application fails to properly sanitize or validate the ‘id’ parameter before incorporating it into an SQL query.
The application executes the attacker-controlled SQL query against the database.
The database returns the results of the injected SQL query to the application.
The application displays the extracted data to the attacker.
The attacker uses the extracted data (database schema, usernames, passwords, etc.) to further compromise the application or gain unauthorized access to other systems.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2019-25707) can lead to the extraction of sensitive information from the eBrigade ERP 4.5 database. This could include customer data, financial records, employee information, and other confidential data. The impact could range from data breaches and financial losses to reputational damage and legal repercussions. While the exact number of victims is unknown, any organization using eBrigade ERP 4.5 is potentially at risk.

Recommendation

Inspect web server access logs for suspicious GET requests to pdf.php containing SQL syntax in the id parameter to detect exploitation attempts using the provided Sigma rule.
Apply input validation and sanitization to the ‘id’ parameter in pdf.php to prevent SQL injection attacks.
Upgrade to a patched version of eBrigade ERP or apply the necessary security patches provided by the vendor to remediate CVE-2019-25707.
Monitor network traffic for unusual database activity originating from the eBrigade ERP 4.5 server.
Block access to the known exploit URL (https://www.exploit-db.com/exploits/46117) at your web proxy or firewall.

Vehicle Showroom Management System SQL Injection Vulnerability (CVE-2026-6038)

hello@craftedsignal.io — Fri, 10 Apr 2026 09:20:18 +0000

A SQL injection vulnerability, identified as CVE-2026-6038, has been discovered in version 1.0 of the code-projects Vehicle Showroom Management System. This vulnerability resides within the /util/RegisterCustomerFunction.php file, and can be exploited by manipulating the BRANCH_ID argument. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the system. Publicly available exploit code exists, increasing the likelihood of exploitation. Successful exploitation could allow an attacker to read, modify, or delete sensitive data within the application’s database. This vulnerability was published on 2026-04-10.

Attack Chain

Attacker identifies a vulnerable instance of Vehicle Showroom Management System 1.0.
Attacker crafts a malicious HTTP request targeting /util/RegisterCustomerFunction.php.
The crafted request includes a SQL injection payload within the BRANCH_ID parameter.
The application fails to properly sanitize the BRANCH_ID input.
The unsanitized input is incorporated into a SQL query executed by the application.
The SQL injection payload manipulates the query to extract sensitive data or modify database records.
The application returns the results of the manipulated query to the attacker.

Impact

Successful exploitation of CVE-2026-6038 can lead to unauthorized access to the Vehicle Showroom Management System’s database. This could result in the disclosure of sensitive customer information (names, addresses, financial details), modification of vehicle inventory data, or even complete compromise of the application’s data integrity. The impact would depend on the level of privileges the application’s database user has and the attacker’s objectives, but it is a high-severity vulnerability due to the ease of exploitation and potential for significant data breach or manipulation.

Recommendation

Inspect web server logs for suspicious POST requests to /util/RegisterCustomerFunction.php containing unusual characters or SQL keywords in the BRANCH_ID parameter using the Sigma rule “Detect SQL Injection Attempt via BRANCH_ID Parameter”.
Apply input validation and sanitization to the BRANCH_ID parameter within the /util/RegisterCustomerFunction.php file to prevent SQL injection.
Monitor database logs for anomalous queries originating from the Vehicle Showroom Management System’s application user.

WordPress adivaha Travel Plugin SQL Injection Vulnerability (CVE-2023-54359)

hello@craftedsignal.io — Thu, 09 Apr 2026 21:16:05 +0000

The adivaha Travel plugin 2.3 for WordPress is susceptible to a time-based blind SQL injection vulnerability (CVE-2023-54359). This flaw allows unauthenticated attackers to inject malicious SQL code through the ‘pid’ GET parameter in requests to the /mobile-app/v3/ endpoint. By crafting specific ‘pid’ values with XOR-based payloads, attackers can manipulate database queries. This vulnerability can be exploited to extract sensitive database information or to cause a denial-of-service condition on the affected WordPress site. Publicly available exploits exist, increasing the risk of widespread exploitation.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable adivaha Travel Plugin version 2.3.
The attacker crafts a malicious HTTP GET request targeting the /mobile-app/v3/ endpoint.
The attacker injects SQL code into the pid GET parameter, utilizing XOR-based payloads to bypass input validation or sanitization.
The server processes the malicious SQL query against the WordPress database.
Due to the time-based blind SQL injection, the attacker infers information about the database by observing the response time of the server.
Through repeated requests, the attacker extracts sensitive data from the database, such as user credentials, API keys, or other confidential information.
Alternatively, the attacker injects SQL code to cause a denial-of-service condition, such as by creating a very long delay.
The attacker uses the exfiltrated data for malicious purposes or further compromise of the WordPress site.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the extraction of sensitive information from the WordPress database, potentially compromising user accounts, customer data, and other confidential information. Attackers could gain complete control over the affected website, leading to defacement, malware distribution, or further attacks on other systems. A successful denial-of-service attack could also disrupt the availability of the website, impacting business operations and user experience.

Recommendation

Apply any available patches or updates for the adivaha Travel Plugin to remediate CVE-2023-54359.
Deploy the Sigma rule Detect Suspicious adivaha Travel Plugin SQL Injection Attempt to your SIEM to identify potential exploitation attempts targeting the /mobile-app/v3/ endpoint.
Inspect web server logs for requests to /mobile-app/v3/ containing suspicious characters or SQL syntax in the pid parameter to identify exploitation attempts (reference: vulnerable endpoint /mobile-app/v3/).
Monitor network traffic for connections to the URLs listed in the IOCs (reference: https://www.exploit-db.com/exploits/51655 and https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-sql-injection-via-pid).

PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)

hello@craftedsignal.io — Thu, 09 Apr 2026 04:17:23 +0000

CVE-2026-5837 describes a SQL injection vulnerability affecting PHPGurukul News Portal Project version 4.1. The vulnerability resides in the /news-details.php file and is triggered by manipulating the Comment argument. Successful exploitation allows remote attackers to inject arbitrary SQL commands into the application’s database queries. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of active exploitation. Organizations using PHPGurukul News Portal Project 4.1 are urged to investigate and mitigate this vulnerability immediately. The lack of specific patching information emphasizes the importance of proactive detection and prevention measures.

Attack Chain

An attacker identifies a vulnerable PHPGurukul News Portal Project 4.1 instance accessible over the internet.
The attacker crafts a malicious HTTP request targeting the /news-details.php endpoint.
Within the request, the Comment parameter is manipulated to inject SQL code. For example, the attacker might inject a payload such as ' OR '1'='1 to bypass authentication or extract data.
The vulnerable application processes the crafted request without proper sanitization of the Comment parameter.
The injected SQL code is embedded within a database query executed by the application.
The database server executes the attacker-controlled SQL query, potentially allowing the attacker to read, modify, or delete data.
The application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information or confirming successful code execution.
The attacker leverages the SQL injection vulnerability to potentially gain unauthorized access to sensitive data, modify website content, or even gain control of the underlying server.

Impact

Successful exploitation of CVE-2026-5837 can lead to unauthorized access to sensitive information stored in the PHPGurukul News Portal Project’s database. An attacker could potentially steal user credentials, financial data, or other confidential information. The attacker could also modify website content, inject malicious code, or even gain control of the underlying server. Given the public availability of exploits, vulnerable instances are at immediate risk of compromise.

Recommendation

Deploy the Sigma rule Detecting SQL Injection in PHPGurukul News Portal to identify attempts to exploit CVE-2026-5837 by monitoring for suspicious characters in the cs-uri-query field of web server logs.
Apply web application firewall (WAF) rules to block requests containing common SQL injection payloads.
Review and harden the /news-details.php page to properly sanitize the Comment input field.
Monitor web server logs for unusual activity, especially related to the /news-details.php endpoint, and correlate with other security events.

code-projects Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5829)

hello@craftedsignal.io — Thu, 09 Apr 2026 02:16:17 +0000

CVE-2026-5829 is a SQL injection vulnerability affecting version 1.0 of the code-projects Simple IT Discussion Forum. The vulnerability resides in the /pages/content.php file and is triggered by manipulating the post_id argument. Successful exploitation allows a remote attacker to execute arbitrary SQL queries on the underlying database. Given the public disclosure of the exploit, instances of Simple IT Discussion Forum 1.0 are at immediate risk. This is a critical vulnerability as it potentially allows an attacker to read sensitive data, modify existing data, or even gain complete control of the application and its underlying infrastructure.

Attack Chain

The attacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance accessible over the network.
The attacker crafts a malicious HTTP GET or POST request targeting /pages/content.php.
The crafted request includes the post_id parameter containing a SQL injection payload.
The application fails to properly sanitize the post_id input.
The unsanitized post_id parameter is used in a SQL query executed against the database.
The SQL injection payload allows the attacker to bypass intended query logic.
The attacker is able to extract sensitive information from the database or modify data.
The attacker could potentially leverage the SQL injection to execute operating system commands via SQL Server’s xp_cmdshell or similar functionality if available.

Impact

Successful exploitation of CVE-2026-5829 can lead to significant data breaches, data manipulation, and potential system compromise. Attackers could gain unauthorized access to sensitive user data, including credentials and personal information. The impact ranges from defacement of the forum to complete control of the web server hosting the application. The vulnerability allows attackers to read, modify, or delete data stored in the forum’s database.

Recommendation

Apply appropriate input validation and sanitization to the post_id parameter in /pages/content.php to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts via POST ID” to identify potential exploitation attempts targeting the post_id parameter.
Monitor web server logs for suspicious requests containing SQL injection payloads in the post_id parameter.
Review and harden database server configurations to limit the privileges of the database user account used by the Simple IT Discussion Forum application.

Drizzle ORM SQL Injection Vulnerability (CVE-2026-39356)

hello@craftedsignal.io — Wed, 08 Apr 2026 12:00:00 +0000

Drizzle ORM, a TypeScript ORM, contains a SQL injection vulnerability (CVE-2026-39356) in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability stems from improper escaping of quoted SQL identifiers within the escapeName() implementations. Specifically, embedded identifier delimiters were not properly escaped before being enclosed in quotes or backticks. This allows attackers to inject arbitrary SQL code by manipulating input passed to APIs like sql.identifier() or .as() which are used to construct SQL identifiers or aliases. Successful exploitation could lead to unauthorized data access, modification, or other database manipulation. Organizations using affected versions of Drizzle ORM are at risk. This issue is resolved in versions 0.45.2 and 1.0.0-beta.20.

Attack Chain

Attacker identifies an application using a vulnerable version of Drizzle ORM (prior to 0.45.2 or 1.0.0-beta.20).
Attacker locates input fields or API endpoints that utilize sql.identifier() or .as() to construct SQL queries.
Attacker crafts malicious input containing embedded identifier delimiters (e.g., quotes or backticks) and SQL code.
The application passes the attacker-controlled input to sql.identifier() or .as() without proper sanitization.
Drizzle ORM’s vulnerable escapeName() function fails to properly escape the malicious delimiters.
The crafted SQL identifier is incorporated into a larger SQL query.
The application executes the compromised SQL query against the database.
The injected SQL code executes, allowing the attacker to perform unauthorized actions such as data exfiltration or modification.

Impact

Successful exploitation of CVE-2026-39356 allows attackers to inject arbitrary SQL queries into the application’s database interactions. This can lead to sensitive data exposure, unauthorized data modification or deletion, and potentially full database compromise. The severity of the impact depends on the application’s database permissions and the sensitivity of the data stored within. Organizations in all sectors utilizing vulnerable Drizzle ORM versions are at risk.

Recommendation

Upgrade Drizzle ORM to version 0.45.2 or 1.0.0-beta.20 to remediate CVE-2026-39356.
Implement robust input validation and sanitization on all user-supplied input that is used in SQL queries, even after upgrading Drizzle ORM.
Deploy the Sigma rule “Detect Drizzle ORM SQL Injection Attempt” to identify exploitation attempts in your environment.
Monitor web server logs for suspicious patterns in HTTP requests indicative of SQL injection attempts (cs-uri-query, cs-uri-stem log fields).

PowerJob SQL Injection Vulnerability (CVE-2026-5736)

hello@craftedsignal.io — Tue, 07 Apr 2026 19:16:48 +0000

CVE-2026-5736 is a SQL injection vulnerability affecting PowerJob, an open-source distributed job scheduling and management platform. The vulnerability resides in the InstanceController.java file within the powerjob-server component, specifically in versions 5.1.0, 5.1.1, and 5.1.2. An attacker can remotely exploit this vulnerability by manipulating the customQuery argument of the detailPlus endpoint, injecting malicious SQL code that is then executed by the application’s database. This could lead to unauthorized data access, modification, or deletion. Despite being reported through an issue report, the project has not yet provided a patch or mitigation. This vulnerability poses a significant risk to organizations using vulnerable versions of PowerJob, potentially enabling attackers to compromise sensitive data and disrupt critical job scheduling processes.

Attack Chain

Attacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.
Attacker crafts a malicious SQL injection payload, targeting the customQuery parameter of the /detailPlus endpoint.
Attacker sends a crafted HTTP request to the vulnerable /detailPlus endpoint, embedding the SQL injection payload within the customQuery parameter.
The PowerJob server receives the request and processes the customQuery parameter without proper sanitization or validation.
The unsanitized customQuery value is incorporated into an SQL query executed against the PowerJob database.
The injected SQL code is executed, allowing the attacker to bypass intended security restrictions and perform unauthorized database operations.
The attacker may extract sensitive data, modify existing records, or even gain control over the underlying database server.
Depending on the attacker’s objectives, they may leverage the compromised database to pivot to other systems or disrupt critical job scheduling processes.

Impact

Successful exploitation of CVE-2026-5736 can lead to a complete compromise of the PowerJob server and its associated database. An attacker could potentially gain access to sensitive data related to job schedules, configurations, and execution history. They could also modify existing jobs, create new malicious jobs, or even disrupt the entire job scheduling system. The exact impact depends on the scope of data stored in the PowerJob database and the attacker’s objectives, but could include data theft, service disruption, and potentially lateral movement within the compromised network.

Recommendation

Upgrade PowerJob to a patched version that addresses CVE-2026-5736 as soon as it becomes available from the vendor.
Implement input validation and sanitization on the customQuery parameter in the detailPlus endpoint to prevent SQL injection attacks.
Deploy the provided Sigma rule Detect Suspicious PowerJob customQuery Parameter to detect potential exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious requests to the /detailPlus endpoint containing potentially malicious SQL injection payloads, as covered in the logsource for the Sigma rule.

Windmill CE/EE SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 07 Apr 2026 17:16:27 +0000

Windmill CE and EE, versions 1.276.0 through 1.603.2, are susceptible to an SQL injection vulnerability (CVE-2026-23696) affecting the folder ownership management functionality. An authenticated attacker can exploit this flaw by injecting SQL code via the owner parameter. Successful exploitation allows the attacker to read sensitive information, including the JWT signing secret and administrative user identifiers. This access enables them to forge administrative tokens, ultimately leading to arbitrary code execution through the workflow execution endpoints. This vulnerability poses a significant risk to organizations using affected versions of Windmill, potentially leading to data breaches and system compromise.

Attack Chain

An attacker authenticates to the Windmill CE/EE instance.
The attacker navigates to the folder ownership management section.
The attacker crafts a malicious HTTP request to modify folder ownership, injecting SQL code into the owner parameter.
The application fails to properly sanitize the input, passing the malicious SQL query to the database.
The SQL injection allows the attacker to extract sensitive information from the database, such as the JWT signing secret and administrative user credentials.
The attacker uses the extracted JWT signing secret to forge an administrative token.
The attacker leverages the forged administrative token to authenticate to the workflow execution endpoint.
The attacker executes arbitrary code on the server via the workflow execution endpoint, achieving remote code execution.

Impact

Successful exploitation of CVE-2026-23696 can lead to complete compromise of the Windmill CE/EE instance. An attacker can gain unauthorized access to sensitive data, including credentials and internal application secrets. They can also execute arbitrary code on the server, potentially leading to data breaches, system downtime, and further lateral movement within the network. This vulnerability affects all organizations using Windmill CE/EE versions 1.276.0 through 1.603.2, and can result in significant financial and reputational damage.

Recommendation

Upgrade Windmill CE/EE to version 1.603.3 or later to patch CVE-2026-23696 as per the vendor’s release notes (https://github.com/windmill-labs/windmill/releases/tag/v1.603.3).
Deploy the Sigma rule Detect Suspicious Windmill Folder Ownership Modification to identify potential SQL injection attempts within HTTP requests to the folder ownership management endpoint.
Monitor web server logs for suspicious activity, such as SQL errors or unusual characters in the owner parameter of requests targeting the folder ownership management endpoint (webserver log source).

ChurchCRM SQL Injection Vulnerability (CVE-2026-35567)

hello@craftedsignal.io — Tue, 07 Apr 2026 16:16:29 +0000

ChurchCRM, an open-source church management system, is susceptible to SQL injection attacks in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-35567, resides in the src/MemberRoleChange.php file, specifically within the NewRole POST parameter. Exploitation requires an attacker to have an authenticated session with the ManageGroups role, along with knowledge of valid GroupID and PersonID values, which can be obtained from the GroupView or PersonView pages. Successful exploitation can lead to unauthorized data access, modification, or deletion within the ChurchCRM database. The vulnerability is resolved in ChurchCRM version 7.1.0.

Attack Chain

Attacker gains authenticated access to ChurchCRM with a user account possessing the ManageGroups role.
Attacker identifies valid GroupID and PersonID values by browsing the GroupView or PersonView pages.
Attacker crafts a malicious HTTP POST request targeting src/MemberRoleChange.php.
The POST request includes the NewRole parameter containing a crafted SQL injection payload, exploiting the lack of proper integer validation.
The application executes the SQL query incorporating the injected payload.
The attacker retrieves sensitive data from the database, modifies existing data, or injects malicious data.
The attacker could leverage the SQL injection to create a new administrative user.
The attacker uses the new administrative account to take complete control of the ChurchCRM instance.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-35567) in ChurchCRM can result in the complete compromise of the application’s database. An attacker can gain unauthorized access to sensitive church member data, including personally identifiable information (PII). This can lead to data breaches, identity theft, and financial fraud. Malicious actors could also modify or delete data, disrupting church operations and potentially causing reputational damage. The impact is critical, especially considering the sensitive nature of the data managed by ChurchCRM.

Recommendation

Upgrade ChurchCRM installations to version 7.1.0 or later to remediate the SQL injection vulnerability (CVE-2026-35567).
Deploy the provided Sigma rule to detect suspicious POST requests to src/MemberRoleChange.php containing potential SQL injection attempts.
Monitor web server logs for unusual activity related to MemberRoleChange.php, especially concerning the NewRole parameter (webserver log source).
Implement input validation and sanitization measures for all user-supplied data, focusing on integer validation for parameters like NewRole.

WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-35395)

hello@craftedsignal.io — Mon, 06 Apr 2026 21:16:21 +0000

WeGIA (Web gerenciador para instituições assistenciais) is a web manager for charitable institutions. Versions prior to 3.6.9 are susceptible to a critical SQL injection vulnerability (CVE-2026-35395) found in the dao/memorando/DespachoDAO.php file. The id_memorando parameter, extracted from the $_REQUEST array, is directly incorporated into SQL queries without any validation or sanitization. This flaw enables authenticated users with low privileges to inject arbitrary SQL commands, potentially leading to complete database compromise. Successful exploitation could result in data breaches, modification of sensitive information, and denial-of-service conditions. Defenders should prioritize upgrading to version 3.6.9 or applying provided patches immediately.

Attack Chain

An authenticated user logs into the WeGIA web application.
The user navigates to a page that triggers the execution of dao/memorando/DespachoDAO.php.
The application extracts the id_memorando parameter from the $_REQUEST array using the HTTP GET or POST method.
The attacker crafts a malicious id_memorando parameter containing SQL injection payloads (e.g., 1; DROP TABLE users; --).
The application directly interpolates the attacker-controlled id_memorando parameter into an SQL query without proper sanitization within the DespachoDAO.php file.
The database server executes the injected SQL command, allowing the attacker to manipulate database records, read sensitive data, or execute arbitrary commands.
The attacker may exfiltrate sensitive data from the database, such as user credentials, financial information, or confidential memorandums.
The attacker achieves complete database compromise, potentially leading to a full system takeover.

Impact

The SQL injection vulnerability in WeGIA versions prior to 3.6.9 poses a significant risk to charitable institutions using the software. Successful exploitation can lead to unauthorized access to sensitive donor information, financial records, and confidential communications. The potential impact includes data breaches, financial losses, reputational damage, and legal liabilities. Given the nature of the targeted institutions, this vulnerability could severely disrupt their operations and erode public trust, potentially affecting thousands of individuals. Organizations that do not apply the patch are vulnerable to data breaches.

Recommendation

Immediately upgrade WeGIA to version 3.6.9 to remediate the SQL injection vulnerability described in CVE-2026-35395.
Implement input validation and sanitization for all user-supplied data, especially the id_memorando parameter in DespachoDAO.php, to prevent future SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious WeGIA SQL Injection Attempts” to your SIEM and tune it for your environment to detect exploitation attempts.
Monitor web server logs for suspicious requests containing SQL injection payloads targeting the dao/memorando/DespachoDAO.php endpoint.
Restrict database access privileges to the minimum required for WeGIA to function correctly.

Media Library Assistant WordPress Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 15:17:11 +0000

CVE-2026-34885 describes an SQL Injection vulnerability affecting the Media Library Assistant WordPress plugin. This plugin, developed by David Lingren, is vulnerable in versions up to and including 3.34. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing attackers to inject malicious SQL code. Exploitation could lead to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and its plugin ecosystem, this vulnerability presents a significant risk to websites utilizing the affected plugin. Successful exploitation could compromise sensitive information, deface websites, or even gain administrative control.

Attack Chain

An attacker identifies a WordPress website using Media Library Assistant version 3.34 or earlier.
The attacker crafts a malicious HTTP request containing SQL injection payload in a plugin parameter, such as a search query or media metadata field.
The crafted request is sent to the vulnerable endpoint within the Media Library Assistant plugin.
The plugin fails to properly sanitize or neutralize the SQL injection payload.
The unsanitized payload is incorporated into an SQL query executed against the WordPress database.
The injected SQL code manipulates the query logic, allowing the attacker to bypass security checks.
The attacker extracts sensitive data from the database, such as user credentials, posts, or other stored information.
The attacker could potentially modify or delete data, or even gain administrative access to the WordPress site.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a range of damaging outcomes. Attackers could gain unauthorized access to sensitive data stored within the WordPress database, including user credentials, customer information, and proprietary content. This data could be exfiltrated and sold on the dark web or used for further malicious activities. Website defacement, data modification, and complete site compromise are also potential consequences. The number of affected websites is potentially large, given the popularity of WordPress and its extensive plugin ecosystem.

Recommendation

Upgrade the Media Library Assistant WordPress plugin to a version higher than 3.34 to patch CVE-2026-34885.
Deploy the Sigma rule Detect SQL Injection Attempts via HTTP Request to identify potential exploitation attempts in web server logs.
Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against WordPress plugins.
Enable regular security audits of WordPress installations and plugins to identify and address vulnerabilities promptly.

GLPI Unauthenticated Time-Based Blind SQL Injection Vulnerability (CVE-2026-26263)

hello@craftedsignal.io — Mon, 06 Apr 2026 15:17:07 +0000

GLPI, a widely used free asset and IT management software, is vulnerable to a critical security flaw. Specifically, versions 11.0.0 to before 11.0.6 contain an unauthenticated time-based blind SQL injection vulnerability (CVE-2026-26263) within its search engine functionality. This vulnerability allows remote attackers to inject malicious SQL code without needing prior authentication. Exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire GLPI instance and the sensitive information it manages. The vulnerability was reported on April 6th, 2026 and patched in version 11.0.6. Organizations using affected versions of GLPI should upgrade immediately to mitigate this risk.

Attack Chain

An unauthenticated attacker identifies a GLPI instance running a vulnerable version (11.0.0 to 11.0.5).
The attacker crafts a malicious HTTP request targeting the search engine functionality.
The crafted request includes a time-based blind SQL injection payload within a search query parameter.
The GLPI server processes the malicious SQL query without proper sanitization.
The injected SQL code interacts with the database, causing time delays based on conditional logic.
The attacker analyzes the response times to infer the results of the injected SQL queries.
Through repeated requests, the attacker extracts sensitive data from the database, such as usernames, passwords, or configuration details.
The attacker uses the extracted credentials to gain unauthorized access to the GLPI system or other related resources.

Impact

Successful exploitation of CVE-2026-26263 can lead to complete compromise of the GLPI instance. Attackers can access sensitive IT asset data, user credentials, and system configurations. This can result in data breaches, financial loss, and reputational damage. Given GLPI’s widespread use in IT management, a successful attack could impact numerous organizations across various sectors. If exploited, attackers can use the compromised GLPI instance as a pivot point to further compromise the internal network.

Recommendation

Upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26263.
Deploy the provided Sigma rule to detect potential exploitation attempts targeting the GLPI search functionality.
Monitor web server logs for suspicious requests containing SQL injection payloads, focusing on parameters used by the GLPI search engine.
Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in web applications.
Regularly review and update web application firewalls (WAFs) with the latest rules to block known SQL injection patterns.

SQL Injection Vulnerability in projectworlds Car Rental System 1.0

hello@craftedsignal.io — Mon, 06 Apr 2026 09:16:18 +0000

A SQL injection vulnerability has been identified in projectworlds Car Rental System version 1.0. This flaw is located within the /message_admin.php file, specifically affecting the Parameter Handler component. By manipulating the Message argument, a remote attacker can inject malicious SQL code, potentially leading to unauthorized data access or modification. The vulnerability, assigned CVE-2026-5637, has a CVSS v3.1 score of 7.3, indicating a high severity. Public exploit code is available, increasing the risk of exploitation. This vulnerability poses a significant threat to systems running the affected Car Rental System version, as it can be exploited without authentication. Defenders should prioritize patching or mitigating this vulnerability to prevent potential data breaches or system compromise.

Attack Chain

Attacker identifies a vulnerable instance of projectworlds Car Rental System 1.0 exposed to the internet.
The attacker crafts a malicious HTTP request targeting the /message_admin.php file.
Within the HTTP request, the attacker manipulates the Message parameter with a SQL injection payload. This payload could be designed to extract data or modify database entries.
The vulnerable /message_admin.php script processes the attacker-supplied input without proper sanitization or validation.
The injected SQL payload is executed against the underlying database server.
The database server processes the malicious SQL query, potentially returning sensitive data to the attacker or modifying data within the database.
The attacker receives the results of the injected SQL query, which may include sensitive data such as user credentials, financial information, or other confidential data.
The attacker can then use the compromised data to further their attack, potentially gaining complete control over the vulnerable system or pivoting to other systems within the network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-5637) in projectworlds Car Rental System 1.0 could lead to significant data breaches, unauthorized access to sensitive information, and potential system compromise. Attackers could gain access to customer data, financial records, and other confidential information stored within the system’s database. The number of potential victims is dependent on the number of installations running the vulnerable version. Affected sectors include transportation, tourism, and any business using projectworlds Car Rental System 1.0 for managing their car rental operations. If exploited, the vulnerability may result in financial losses, reputational damage, and legal liabilities for the affected organizations.

Recommendation

Apply any available patches or updates for projectworlds Car Rental System 1.0 to address the SQL injection vulnerability (CVE-2026-5637).
Implement input validation and sanitization measures on the /message_admin.php file to prevent SQL injection attacks.
Deploy a web application firewall (WAF) with rules to detect and block SQL injection attempts targeting the Message parameter in the /message_admin.php file.
Monitor web server logs for suspicious activity, such as requests with unusual characters or SQL syntax in the Message parameter, to detect potential exploitation attempts. Use the provided Sigma rule “Detect SQL Injection Attempt in Car Rental System” for this purpose.
Regularly audit and review the codebase of projectworlds Car Rental System 1.0 for other potential vulnerabilities.

Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25704)

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:48 +0000

Kados R10 GreenBee is susceptible to SQL injection attacks due to improper input validation. Specifically, the filter_user_mail parameter does not adequately sanitize user-supplied input, which enables attackers to inject arbitrary SQL code into database queries. Publicly disclosed as CVE-2019-25704, successful exploitation of this vulnerability can result in the unauthorized disclosure of sensitive information, modification of existing data, or potentially complete compromise of the database. The affected software is Kados R10 GreenBee; specific versions are not mentioned in the source.

Attack Chain

The attacker identifies the Kados R10 GreenBee application running.
The attacker locates the filter_user_mail parameter in the application’s web interface or API.
The attacker crafts a malicious HTTP request containing SQL code injected into the filter_user_mail parameter.
The application’s backend processes the crafted request without proper sanitization.
The injected SQL code is executed against the database.
The attacker extracts sensitive data from the database, such as user credentials or financial records, by using SQL injection techniques like UNION SELECT.
Alternatively, the attacker modifies data within the database, such as altering user privileges or inserting malicious content.
The attacker uses the compromised database to further compromise the application or the underlying system.

Impact

Successful exploitation of CVE-2019-25704 allows attackers to extract sensitive data (user credentials, financial records), modify existing data (alter user privileges), or potentially compromise the entire database. The number of affected installations is unknown, but unpatched systems are vulnerable. This could lead to significant data breaches, financial losses, and reputational damage.

Recommendation

Inspect web server logs for HTTP requests targeting the filter_user_mail parameter with suspicious SQL syntax (e.g., UNION, SELECT, --, /* */) to identify potential exploitation attempts. This activity can be detected with the provided Sigma rule for webserver logs.
Deploy a web application firewall (WAF) rule to block requests containing SQL injection payloads targeting the filter_user_mail parameter.
Apply the patch or upgrade to a version of Kados R10 GreenBee that addresses CVE-2019-25704.
Implement input validation and sanitization on all user-supplied input, especially the filter_user_mail parameter, to prevent SQL injection attacks.

Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25702)

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:48 +0000

Kados R10 GreenBee is susceptible to SQL injection attacks due to improper input validation of the id_project parameter. This vulnerability, identified as CVE-2019-25702, allows a remote attacker to inject arbitrary SQL code into database queries. By crafting malicious requests, an attacker can potentially extract sensitive data, modify existing records, or even gain unauthorized access to the underlying database. The vulnerability was published on April 5, 2026, and poses a significant risk to organizations using affected versions of Kados R10 GreenBee, potentially leading to data breaches and system compromise. Defenders should prioritize patching or mitigating this vulnerability to prevent exploitation.

Attack Chain

The attacker identifies a Kados R10 GreenBee instance.
The attacker crafts a malicious HTTP request targeting an endpoint that uses the id_project parameter in a SQL query.
The attacker injects SQL code into the id_project parameter within the crafted HTTP request. For example, id_project=1' OR '1'='1.
The Kados R10 GreenBee application processes the request and executes the injected SQL code against the database.
The database server executes the malicious SQL query, potentially returning sensitive information.
The attacker retrieves the extracted data from the application’s response.
Depending on the injected SQL code, the attacker may modify database records.
The attacker may gain unauthorized access to the database and perform further malicious actions.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2019-25702) can lead to unauthorized access to sensitive database information, including user credentials, financial data, and other confidential records. This can result in data breaches, financial loss, reputational damage, and legal liabilities for affected organizations. The vulnerability allows attackers to read and modify data, potentially disrupting business operations. The CVSS v3.1 score of 8.2 highlights the severity of this issue.

Recommendation

Apply available patches or upgrades for Kados R10 GreenBee to address CVE-2019-25702.
Deploy the Sigma rule Detect Suspicious SQL Injection Attempts in Kados R10 GreenBee to your SIEM to detect exploitation attempts by monitoring HTTP request parameters.
Implement input validation and sanitization for all user-supplied data, especially for parameters used in database queries, to prevent SQL injection attacks.
Monitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the id_project parameter of HTTP requests, as shown in the log source for the Sigma rules below.

C4G Basic Laboratory Information System 3.4 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:45 +0000

C4G Basic Laboratory Information System version 3.4 is susceptible to SQL injection vulnerabilities. The vulnerability allows unauthenticated attackers to inject malicious SQL code through the site parameter in HTTP GET requests targeting the users_select.php endpoint. Successful exploitation could grant attackers unauthorized access to sensitive data stored within the system’s database, including confidential patient records and system credentials. This vulnerability poses a significant threat to organizations utilizing the affected LIS, as it may lead to data breaches, compliance violations, and potential compromise of the entire system. Public exploits are available, increasing the risk of widespread exploitation.

Attack Chain

The attacker identifies a vulnerable C4G Basic Laboratory Information System 3.4 instance.
The attacker crafts a malicious SQL injection payload designed to extract data or execute commands.
The attacker sends an HTTP GET request to the users_select.php endpoint with the crafted SQL payload injected into the site parameter.
The vulnerable application processes the malicious SQL query without proper sanitization.
The database executes the injected SQL commands, potentially returning sensitive data.
The attacker receives the database response containing the extracted information or the results of the executed commands.
The attacker uses the extracted information, such as user credentials or patient data, for further malicious activities.

Impact

Successful exploitation of this SQL injection vulnerability allows unauthorized access to sensitive data stored within the C4G Basic Laboratory Information System 3.4 database. This includes patient records, system credentials, and potentially other confidential information. The impact can range from data breaches and privacy violations to complete system compromise, depending on the privileges of the database user and the extent of the attacker’s knowledge.

Recommendation

Apply any available patches or updates for C4G Basic Laboratory Information System 3.4 to remediate the SQL injection vulnerability described in CVE-2019-25678.
Deploy the Sigma rule Detect SQL Injection Attempt in C4G Basic LIS to identify potential exploitation attempts against the users_select.php endpoint.
Implement input validation and sanitization measures to prevent SQL injection attacks against web applications.

SuiteCRM 7.10.7 Time-Based SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:43 +0000

SuiteCRM 7.10.7 is susceptible to a time-based SQL injection vulnerability (CVE-2019-25664) affecting the record parameter within the Users module’s DetailView action. This flaw enables authenticated attackers to inject arbitrary SQL code into database queries by manipulating the record parameter within GET requests directed to the index.php endpoint. By exploiting this vulnerability, attackers can leverage time-based blind SQL injection techniques to extract sensitive database information. This vulnerability poses a significant risk to organizations utilizing vulnerable versions of SuiteCRM as it can lead to unauthorized access to sensitive data.

Attack Chain

An attacker authenticates to the SuiteCRM application.
The attacker crafts a malicious GET request targeting the index.php endpoint.
The attacker injects SQL code into the record parameter of the GET request, specifically targeting the Users module’s DetailView action.
The SuiteCRM application processes the crafted request without proper sanitization of the record parameter.
The injected SQL code is executed within the context of the database query.
The attacker leverages time-based SQL injection techniques to infer information about the database structure and content by observing the response times.
Sensitive data is extracted from the database through repeated time-based injection attacks.
The attacker exfiltrates the extracted data.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive data stored within the SuiteCRM database. The scope of the impact depends on the level of access granted to the compromised user account, but could include customer data, financial information, or other confidential business data. While there is no count on victims available, all SuiteCRM 7.10.7 installations are vulnerable.

Recommendation

Upgrade to a patched version of SuiteCRM that addresses CVE-2019-25664 to remediate the SQL injection vulnerability.
Deploy the Sigma rule provided below to detect exploitation attempts targeting the vulnerable index.php endpoint.
Implement input validation and sanitization measures within the SuiteCRM application to prevent SQL injection attacks.
Monitor web server logs for suspicious GET requests containing potentially malicious SQL code in the record parameter.

SQL Injection Vulnerability in jkev Record Management System 1.0 (CVE-2026-5575)

hello@craftedsignal.io — Sun, 05 Apr 2026 15:16:43 +0000

CVE-2026-5575 is a critical security flaw discovered in SourceCodester/jkev Record Management System version 1.0. Specifically, a SQL injection vulnerability is present within the Login component’s index.php file. The vulnerability allows unauthenticated, remote attackers to inject malicious SQL code via the Username parameter. Given that an exploit is publicly available, the risk of exploitation is elevated. This could lead to unauthorized data access, modification, or deletion, potentially compromising the entire Record Management System. Organizations using this software should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a vulnerable instance of SourceCodester/jkev Record Management System 1.0 exposed to the internet.
The attacker crafts a malicious HTTP request targeting the index.php file associated with the Login component.
Within the HTTP request, the attacker injects SQL code into the Username parameter of the login form.
The application fails to properly sanitize or validate the Username input before incorporating it into an SQL query.
The injected SQL code is executed against the underlying database, potentially bypassing authentication.
The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials or records.
The attacker may modify or delete data, depending on the privileges of the database user account used by the application.
The attacker can potentially pivot to other systems or networks using the compromised database server.

Impact

Successful exploitation of CVE-2026-5575 can lead to complete compromise of the jkev Record Management System. Attackers can steal sensitive data, modify existing records, or even delete the entire database. This could result in significant financial losses, reputational damage, and legal liabilities. The vulnerable software is used to manage records, so successful attacks could expose confidential customer or business data depending on the nature of the records being managed.

Recommendation

Deploy the Sigma rule Detecting JKEV Record Management System SQL Injection Attempt to your SIEM to identify exploitation attempts targeting the vulnerable login page.
Inspect web server logs for requests to /index.php with suspicious characters or SQL keywords in the Username parameter to identify potential attack attempts (see rules section).
Implement input validation and sanitization on the Username parameter in index.php to prevent SQL injection, addressing CVE-2026-5575.

code-projects Simple Laundry System 1.0 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 13:17:13 +0000

A security vulnerability, CVE-2026-5565, has been identified in code-projects Simple Laundry System version 1.0. This vulnerability is located within the /delmemberinfo.php file, specifically affecting the handling of the userid parameter. Successful exploitation of this flaw allows for SQL injection, enabling a remote attacker to potentially manipulate database queries. Publicly available exploits exist, increasing the risk of widespread exploitation targeting vulnerable installations of the Simple Laundry System 1.0. This could lead to unauthorized data access, modification, or deletion. The vulnerability was reported on April 5, 2026.

Attack Chain

Attacker identifies a vulnerable Simple Laundry System 1.0 instance.
Attacker crafts a malicious HTTP request targeting /delmemberinfo.php.
The crafted request includes a SQL injection payload within the userid parameter.
The application fails to properly sanitize the userid input.
The unsanitized input is passed directly into a SQL query.
The attacker’s SQL injection payload is executed by the database server.
The attacker gains the ability to read, modify, or delete data within the database.
The attacker may escalate privileges or pivot to other parts of the system depending on the database configuration and application code.

Impact

Successful exploitation of CVE-2026-5565 allows attackers to inject arbitrary SQL commands into the Simple Laundry System 1.0 database. This can lead to unauthorized data access, modification, or deletion, potentially compromising sensitive user information, laundry transaction data, and system configurations. A successful attack could result in financial losses, reputational damage, and legal liabilities for affected laundry businesses. While the exact number of vulnerable installations is unknown, the availability of public exploits increases the likelihood of widespread attacks.

Recommendation

Inspect web server logs for suspicious requests to /delmemberinfo.php containing potentially malicious SQL syntax within the userid parameter (reference: Attack Chain).
Deploy the Sigma rule provided below to detect SQL injection attempts targeting the vulnerable endpoint (reference: Sigma rule “Detect SQL Injection Attempts to delmemberinfo.php”).
Apply input validation and sanitization to the userid parameter in /delmemberinfo.php to prevent SQL injection (reference: CVE-2026-5565).

SQL Injection Vulnerability in Concert Ticket Reservation System

hello@craftedsignal.io — Sun, 05 Apr 2026 10:16:18 +0000

CVE-2026-5554 details a SQL injection vulnerability affecting code-projects Concert Ticket Reservation System version 1.0. The vulnerability resides within the /ConcertTicketReservationSystem-master/process_search.php file, specifically in how the Parameter Handler component processes search arguments. A remote attacker can manipulate the searching argument to inject arbitrary SQL commands. Publicly available exploits exist, increasing the risk of active exploitation. Successful exploitation allows the attacker to read, modify, or delete sensitive data within the application’s database. This poses a significant threat to the confidentiality, integrity, and availability of the system.

Attack Chain

Attacker identifies an instance of Concert Ticket Reservation System 1.0 accessible over the network.
Attacker crafts a malicious SQL injection payload targeting the searching parameter in the /ConcertTicketReservationSystem-master/process_search.php file.
The attacker sends a crafted HTTP request to the vulnerable endpoint, injecting SQL code into the application’s database query.
The application executes the attacker-controlled SQL query against its database.
The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, ticket information, or financial records.
The attacker may modify or delete data, disrupting service and potentially causing financial loss.
The attacker may use the compromised database to pivot to other systems or escalate privileges within the network.

Impact

Successful exploitation of CVE-2026-5554 can lead to complete database compromise, potentially affecting all users and transactions within the Concert Ticket Reservation System. The number of affected installations is unknown, but any system running version 1.0 is vulnerable. Attackers can steal user credentials, modify ticket prices, disrupt ticket sales, or even shut down the system entirely, resulting in significant financial and reputational damage for the affected organization.

Recommendation

Apply any available patches or updates from code-projects to address CVE-2026-5554.
Deploy the Sigma rule Detecting SQL Injection Attempts to detect attempts to exploit the vulnerability via malicious HTTP requests.
Implement input validation and sanitization on all user-supplied input to prevent SQL injection attacks.
Monitor web server logs for suspicious activity related to /ConcertTicketReservationSystem-master/process_search.php, as this is the vulnerable endpoint.
Consider using a web application firewall (WAF) to filter malicious requests targeting the application.

SQL Injection Vulnerability in Free Hotel Reservation System 1.0 (CVE-2026-5551)

hello@craftedsignal.io — Sun, 05 Apr 2026 09:16:17 +0000

itsourcecode Free Hotel Reservation System version 1.0 is vulnerable to SQL injection. The vulnerability, identified as CVE-2026-5551, resides in the /hotel/admin/login.php file within the Parameter Handler component. Publicly available exploits target the email parameter, allowing unauthenticated remote attackers to inject malicious SQL queries. This vulnerability can lead to unauthorized access to sensitive data, modification of the database, or even complete compromise of the affected system. Due to the public availability of exploits, defenders must implement immediate detection and prevention measures.

Attack Chain

An attacker identifies an instance of itsourcecode Free Hotel Reservation System 1.0.
The attacker crafts a malicious HTTP request targeting the /hotel/admin/login.php endpoint.
The crafted request includes a SQL injection payload within the email parameter.
The application fails to properly sanitize the email input.
The application executes the attacker-controlled SQL query against the database.
The attacker bypasses authentication by injecting SQL to return valid credentials.
The attacker gains unauthorized administrative access to the system.
The attacker extracts sensitive information from the database, such as user credentials or reservation details, or modifies data.

Impact

Successful exploitation of CVE-2026-5551 can lead to complete compromise of the vulnerable Free Hotel Reservation System 1.0 instance. This can result in the exposure of sensitive customer data, including personal information and financial details. Attackers could also modify reservation data, disrupt hotel operations, or use the compromised system as a launching point for further attacks within the network. Given the nature of the vulnerability, any hotel or organization using this software is at risk of data breaches and financial losses.

Recommendation

Deploy the Sigma rule Detect SQL Injection in Free Hotel Reservation System Login to detect exploitation attempts against /hotel/admin/login.php in web server logs.
Apply input validation and sanitization to the email parameter in /hotel/admin/login.php to prevent SQL injection, mitigating CVE-2026-5551.
Monitor web server logs for suspicious activity and SQL-related keywords in HTTP POST requests to /hotel/admin/login.php.
Implement regular security audits and penetration testing to identify and address potential vulnerabilities in web applications.

Piwigo SQL Injection Vulnerability (CVE-2026-27885)

hello@craftedsignal.io — Fri, 03 Apr 2026 22:16:26 +0000

Piwigo is an open-source photo gallery application. A SQL Injection vulnerability, identified as CVE-2026-27885, exists in Piwigo versions prior to 16.3.0. Specifically, the Activity List API endpoint is susceptible. An authenticated administrator, by crafting malicious SQL queries, can exploit this vulnerability to extract sensitive data, including user credentials, email addresses, and all stored content within the Piwigo database. Piwigo versions 16.3.0 and later contain a patch for this vulnerability. This allows attackers to potentially take over the entire Piwigo instance by exploiting the vulnerability and dumping the credentials of other administrators or users. The CVSS v3.1 base score is rated as 7.2 (HIGH).

Attack Chain

An attacker gains administrative access to a Piwigo instance running a version prior to 16.3.0, through either brute-forcing credentials or compromising an existing admin account.
The attacker crafts a malicious SQL query designed to exploit the SQL Injection vulnerability in the Activity List API endpoint.
The attacker sends a request to the vulnerable Activity List API endpoint with the crafted SQL payload embedded within the request parameters.
The Piwigo application processes the request without proper sanitization, executing the malicious SQL query against the database.
The database returns the results of the malicious query, which could include sensitive information such as user credentials, email addresses, and other stored data.
The attacker captures the database response and extracts the sensitive information.
The attacker uses the extracted credentials to elevate privileges or impersonate other users, potentially gaining full control of the Piwigo instance.
The attacker exfiltrates sensitive data, defaces the photo gallery, or performs other malicious actions.

Impact

Successful exploitation of CVE-2026-27885 can lead to complete compromise of a Piwigo instance. An attacker could steal user credentials, modify or delete photos, and potentially use the compromised server as a staging point for further attacks. The number of affected installations is unknown, but any Piwigo instance running a version prior to 16.3.0 is vulnerable if an attacker can get administrative access.

Recommendation

Upgrade Piwigo installations to version 16.3.0 or later to patch CVE-2026-27885.
Monitor web server logs for suspicious requests to the Activity List API endpoint that contain potentially malicious SQL syntax to trigger the rule Detecting SQL Injection Attempts in Piwigo.
Implement strict input validation and sanitization on all user-supplied data to prevent SQL injection vulnerabilities.

Piwigo SQL Injection Vulnerability (CVE-2026-27834)

hello@craftedsignal.io — Fri, 03 Apr 2026 22:16:26 +0000

Piwigo, an open-source photo gallery application, is vulnerable to SQL injection in versions before 16.3.0. The vulnerability resides in the pwg.users.getList Web Service API method. Specifically, the filter parameter is directly concatenated into a SQL query without sufficient sanitization. This allows an authenticated administrator to inject and execute arbitrary SQL commands on the Piwigo server. Successful exploitation could lead to data exfiltration, modification, or complete compromise of the Piwigo instance. Version 16.3.0 patches this vulnerability. The vulnerability was reported on April 3rd, 2026.

Attack Chain

An authenticated administrator logs into the Piwigo web interface.
The administrator crafts a malicious HTTP POST request to the api.php endpoint, targeting the pwg.users.getList Web Service API method.
The malicious request includes the filter parameter containing a SQL injection payload. The payload is designed to exploit the lack of sanitization.
The Piwigo application receives the request and processes the pwg.users.getList API call.
The application concatenates the attacker-controlled filter parameter directly into a SQL query without proper escaping or sanitization.
The crafted SQL query is executed against the Piwigo database.
The injected SQL code performs unauthorized actions, such as extracting sensitive data, modifying database records, or executing system commands via SQL.
The attacker retrieves the results of the injected SQL query from the HTTP response.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-27834) in Piwigo versions before 16.3.0 can lead to complete compromise of the Piwigo installation. An attacker could potentially access sensitive data such as user credentials, private photos, and system configuration information. The attacker could also modify or delete data, disrupt service, or potentially gain unauthorized access to the underlying server. Given the administrator privilege required for exploitation, the impact is considered significant within the vulnerable Piwigo instance.

Recommendation

Upgrade Piwigo to version 16.3.0 or later to patch CVE-2026-27834 (see references).
Deploy the provided Sigma rule to detect exploitation attempts against the pwg.users.getList API endpoint.
Monitor web server logs for suspicious POST requests to api.php containing unusual characters or SQL keywords in the filter parameter.

SQL Injection Vulnerability in itsourcecode Online Enrollment System 1.0

hello@craftedsignal.io — Thu, 02 Apr 2026 14:16:37 +0000

A SQL injection vulnerability has been identified in itsourcecode Online Enrollment System version 1.0. The vulnerability resides within the Parameter Handler component of the application, specifically affecting the /enrollment/index.php endpoint. By manipulating the deptid argument, a remote attacker can inject malicious SQL queries, potentially leading to unauthorized data access, modification, or even remote code execution. This vulnerability is particularly concerning because a public exploit is available, increasing the likelihood of active exploitation. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of their systems. The scope of impact includes any system running the vulnerable version of itsourcecode Online Enrollment System.

Attack Chain

The attacker identifies a vulnerable instance of itsourcecode Online Enrollment System 1.0.
The attacker crafts a malicious HTTP request targeting /enrollment/index.php?view=edit&id=3.
The attacker injects SQL code into the deptid parameter of the HTTP request.
The web server processes the request and passes the tainted deptid parameter to the SQL query.
The injected SQL code is executed against the database, allowing the attacker to bypass authentication or access sensitive data.
The attacker may escalate the attack by attempting to execute arbitrary commands on the server.
Successful exploitation allows the attacker to dump database contents, modify enrollment records, or gain administrative access.

Impact

Successful exploitation of this SQL injection vulnerability could lead to complete compromise of the Online Enrollment System. This includes unauthorized access to sensitive student data, modification of enrollment records, and potentially remote code execution on the server. Given that a public exploit exists, organizations using the vulnerable software are at high risk of experiencing data breaches, financial losses, and reputational damage. The potential victim count depends on the number of installations of the affected Online Enrollment System.

Recommendation

Inspect web server logs for suspicious POST requests to /enrollment/index.php containing potentially malicious SQL syntax within the deptid parameter to identify potential exploitation attempts.
Deploy the Sigma rule Detect SQL Injection Attempt via deptid Parameter to detect exploitation attempts targeting the vulnerable endpoint.
Block requests to /enrollment/index.php?view=edit&id=3 containing SQL keywords in the deptid parameter at the WAF or reverse proxy.
Apply input validation and sanitization to the deptid parameter within the application code to prevent SQL injection attacks in the future.

Unauthenticated SQL Injection Vulnerability in mb24api Endpoint (CVE-2026-33616)

hello@craftedsignal.io — Thu, 02 Apr 2026 10:16:17 +0000

CVE-2026-33616 identifies a critical security flaw affecting the mb24api endpoint, stemming from an unauthenticated blind SQL Injection vulnerability. The root cause lies in the improper neutralization of special elements within a SQL SELECT command. This vulnerability poses a significant threat, as it allows an unauthenticated remote attacker to inject malicious SQL code. Successful exploitation can result in complete compromise of data confidentiality. Defenders need to be aware of the potential for unauthorized data access and manipulation due to this vulnerability and should prioritize patching or implementing compensating controls. The affected product and version are not specified in the source document.

Attack Chain

The attacker identifies the vulnerable mb24api endpoint.
The attacker crafts a malicious HTTP request containing SQL injection payloads within the URL parameters or request body.
The vulnerable mb24api endpoint processes the HTTP request and incorporates the attacker’s SQL injection payload into a SQL SELECT query without proper sanitization.
The injected SQL code is executed against the backend database.
Due to the blind SQL injection nature, the attacker infers database structure and data by observing the application’s response times or error messages triggered by the injected SQL code.
The attacker extracts sensitive information, such as usernames, passwords, or customer data, by using SQL injection techniques like UNION SELECT or boolean-based blind SQL injection.
The attacker gains unauthorized access to the application’s data.
The attacker exfiltrates the stolen data.

Impact

Successful exploitation of CVE-2026-33616 can lead to a total loss of data confidentiality. An attacker can gain unauthorized access to sensitive information stored in the database, including user credentials, personal data, and proprietary business information. The impact of this vulnerability is high, as it can result in significant financial losses, reputational damage, and legal liabilities for the affected organization. The number of potential victims is unknown, but could be significant depending on the scope and user base of the affected application.

Recommendation

Apply any available patches or updates provided by the vendor to address CVE-2026-33616.
Implement input validation and sanitization measures to prevent SQL injection attacks, focusing on the mb24api endpoint.
Deploy a web application firewall (WAF) with rules to detect and block SQL injection attempts targeting the mb24api endpoint.
Monitor web server logs for suspicious activity, such as unusual HTTP requests or SQL syntax in request parameters and enable webserver and proxy logs.
Implement the provided Sigma rule to detect potential SQL injection attempts in web server logs.

Unauthenticated SQL Injection Vulnerability in setinfo Endpoint

hello@craftedsignal.io — Thu, 02 Apr 2026 10:16:16 +0000

CVE-2026-33615 describes a critical security vulnerability affecting the setinfo endpoint. This vulnerability allows an unauthenticated remote attacker to inject malicious SQL code due to the improper neutralization of special elements within a SQL UPDATE command. The vulnerability was published on April 2, 2026. Successful exploitation can lead to complete data compromise, system downtime, and a total loss of integrity and availability. This vulnerability poses a significant risk to organizations utilizing the affected setinfo endpoint.

Attack Chain

The attacker identifies the vulnerable setinfo endpoint, which is accessible without authentication.
The attacker crafts a malicious HTTP request containing SQL injection payloads within the parameters intended for the setinfo function.
The application fails to properly sanitize or validate the input, allowing the SQL injection payload to be passed directly to the database.
The injected SQL code is executed within the context of the SQL UPDATE command, potentially modifying sensitive data.
The attacker leverages the SQL injection to escalate privileges or gain access to other parts of the database.
The attacker may exfiltrate sensitive information or modify database records to cause a denial of service.
The attacker can potentially overwrite critical data, leading to a total loss of integrity.
The attacker may use the compromised system as a pivot point to attack other internal systems.

Impact

Successful exploitation of this vulnerability (CVE-2026-33615) can lead to a total loss of data integrity and system availability. This could result in significant financial losses, reputational damage, and disruption of critical services. Since the vulnerability is unauthenticated, any attacker on the network can potentially exploit it, leading to widespread compromise.

Recommendation

Inspect web server logs for unusual requests to the setinfo endpoint containing SQL syntax to identify potential exploitation attempts (Log source: webserver).
Monitor database logs for SQL UPDATE commands originating from the application that contain suspicious or unexpected syntax to detect potential SQL injection (Log source: database).
Implement input validation and sanitization measures to neutralize special elements in SQL commands to prevent future exploitation of SQL injection vulnerabilities.
Deploy the Sigma rule “Detect Potential SQL Injection in setinfo Endpoint” to your SIEM and tune for your environment.

Unauthenticated SQL Injection Vulnerability in getinfo Endpoint (CVE-2026-33614)

hello@craftedsignal.io — Thu, 02 Apr 2026 10:16:16 +0000

CVE-2026-33614 describes an unauthenticated SQL Injection vulnerability present in the getinfo endpoint of an unspecified application. Discovered and reported by CERT VDE, the vulnerability stems from the improper neutralization of special elements within a SQL SELECT command. A remote, unauthenticated attacker can exploit this flaw to inject malicious SQL code, potentially gaining unauthorized access to sensitive data. Successful exploitation results in a total loss of confidentiality, as the attacker can retrieve any information stored in the database. The scope of affected products is currently unknown, highlighting the need for further investigation and patching by vendors who utilize similar getinfo endpoints and SQL queries. This vulnerability poses a significant risk as it requires no authentication, making it easily exploitable.

Attack Chain

Attacker identifies a vulnerable getinfo endpoint that accepts user-supplied input.
Attacker crafts a malicious SQL injection payload, embedding it within a seemingly benign request to the getinfo endpoint.
The application fails to properly sanitize or validate the attacker’s input.
The unsanitized input is directly incorporated into a SQL SELECT query executed by the application.
The injected SQL code modifies the original query, potentially bypassing security measures and accessing sensitive data.
The database executes the modified SQL query, treating the injected code as legitimate commands.
The application retrieves the results of the injected query, which may include sensitive data such as usernames, passwords, or financial information.
The attacker receives the leaked data in the response from the getinfo endpoint, completing the data exfiltration.

Impact

Successful exploitation of CVE-2026-33614 leads to a total loss of confidentiality. Attackers can potentially access and exfiltrate sensitive data stored in the application’s database, including user credentials, financial records, and other confidential information. The number of potential victims is unknown, as the affected product is not specified in the CVE. However, any application utilizing a vulnerable getinfo endpoint is at risk. The impact includes data breaches, identity theft, financial fraud, and reputational damage.

Recommendation

Inspect web server logs for suspicious requests to getinfo endpoints containing SQL syntax (e.g., SELECT, UNION, OR) to identify potential exploitation attempts. Use the provided Sigma rule Detect Suspicious getinfo SQL Injection Attempts for this purpose.
Implement input validation and sanitization on all user-supplied input to the getinfo endpoint to prevent SQL injection attacks.
Deploy parameterized queries or prepared statements to ensure that user input is treated as data, not executable code.
Monitor database logs for anomalous SQL queries originating from the application server to detect potential SQL injection activity.
Apply the principle of least privilege to database accounts used by the application, limiting their access to only the necessary data.
Conduct regular security audits and penetration testing to identify and address potential vulnerabilities, including SQL injection flaws.

AlejandroArciniegas mcp-data-vis SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 02 Apr 2026 06:16:23 +0000

A SQL injection vulnerability has been identified in AlejandroArciniegas’s mcp-data-vis project, affecting the MCP Handler component. The vulnerability resides within the Request function of the src/servers/database/server.js file. This flaw allows a remote attacker to inject arbitrary SQL commands through manipulation of input parameters. Public exploit code is available, increasing the risk of exploitation. Due to the software’s rolling release model, identifying specific vulnerable versions is challenging. The vendor was notified but did not respond to the disclosure, potentially delaying remediation efforts and increasing the window of opportunity for malicious actors to exploit this vulnerability.

Attack Chain

Attacker identifies a publicly accessible instance of mcp-data-vis.
The attacker analyzes the src/servers/database/server.js file to understand the structure of the Request function.
The attacker crafts a malicious SQL injection payload targeting the Request function.
The attacker sends a specially crafted HTTP request containing the SQL injection payload to the vulnerable endpoint.
The vulnerable Request function processes the malicious SQL query without proper sanitization.
The injected SQL code is executed against the backend database, potentially allowing data extraction.
The attacker retrieves sensitive data from the database, such as user credentials or application configuration.
The attacker could potentially use the compromised database to pivot to other systems within the network, or deface the web application.

Impact

Successful exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data, including user credentials and application configurations. The lack of versioning information due to the rolling release model makes it difficult to identify and patch vulnerable instances. Organizations using mcp-data-vis are at risk of data breaches, service disruption, and potential compromise of their entire infrastructure if this vulnerability is exploited. Given the public availability of exploit code, the likelihood of exploitation is high, particularly for unpatched systems.

Recommendation

Inspect and sanitize all user-provided input passed to the Request function in src/servers/database/server.js within the mcp-data-vis application to prevent SQL injection.
Deploy the provided Sigma rule to detect suspicious network activity indicative of SQL injection attempts targeting the Request function.
Monitor web server logs for suspicious HTTP requests containing potentially malicious SQL syntax related to CVE-2026-5322.
Implement a Web Application Firewall (WAF) with rules to block common SQL injection payloads targeting the mcp-data-vis application.

pandas-ai SQL Injection Vulnerability (CVE-2026-30273)

hello@craftedsignal.io — Wed, 01 Apr 2026 17:28:38 +0000

pandas-ai v3.0.0 contains a SQL injection vulnerability in the pandasai.agent.base._execute_sql_query component. This flaw, identified as CVE-2026-30273, could allow an attacker to inject malicious SQL code into queries executed by the application. Successful exploitation can lead to unauthorized data access, modification, or deletion within the underlying database. Given the nature of pandas-ai as a tool intended to work with data, this vulnerability poses a significant risk to data integrity and confidentiality. The affected version is pandas-ai v3.0.0, and users of this version should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a publicly accessible endpoint in the pandas-ai application that leverages the vulnerable _execute_sql_query function.
The attacker crafts a malicious SQL query string containing SQL injection payloads.
This malicious SQL query is submitted to the vulnerable endpoint, often as part of user-supplied input.
The pandas-ai application passes the tainted SQL query to the _execute_sql_query function without proper sanitization or parameterization.
The _execute_sql_query function executes the injected SQL command directly against the database.
The attacker gains unauthorized access to sensitive data stored in the database.
The attacker may modify or delete data, escalate privileges, or potentially execute arbitrary code on the database server, depending on database permissions and configuration.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-30273) can result in unauthorized access to sensitive data, data modification or deletion, and potential compromise of the underlying database server. The impact depends on the permissions granted to the database user the pandas-ai application uses. This vulnerability could affect any organization using pandas-ai v3.0.0 to interact with SQL databases, potentially leading to data breaches, financial loss, and reputational damage.

Recommendation

Upgrade to a patched version of pandas-ai that addresses CVE-2026-30273. Check the pandas-ai GitHub repository for updates (https://github.com/sinaptik-ai/pandas-ai).
Implement robust input validation and sanitization measures to prevent SQL injection attacks. Specifically, focus on sanitizing any input passed to the pandasai.agent.base._execute_sql_query function.
Deploy the Sigma rule Detecting_Potential_PandasAI_SQL_Injection_Attempts to identify potential exploitation attempts within web server logs.
Regularly audit and review the application’s code to identify and remediate potential security vulnerabilities.

Django Multiple Vulnerabilities Leading to SQL Injection, Information Disclosure, and DoS

hello@craftedsignal.io — Wed, 01 Apr 2026 09:20:35 +0000

Multiple vulnerabilities have been identified in the Django web framework that could allow a remote, authenticated attacker to perform SQL injection attacks, disclose sensitive information, or cause a denial-of-service (DoS) condition. This vulnerability impacts Django-based applications, potentially exposing sensitive data and disrupting services. Defenders need to prioritize detection and mitigation strategies to prevent exploitation of these weaknesses. Specific Django versions affected are not detailed in the source, requiring a broad approach to detection across Django deployments. The lack of specific CVEs makes targeted patching difficult, emphasizing the importance of proactive monitoring for exploitation attempts.

Attack Chain

An attacker gains valid credentials to a Django-based web application through credential stuffing or other means.
The attacker identifies input fields within the application that are vulnerable to SQL injection, such as search boxes or form fields that directly interact with the database.
The attacker crafts malicious SQL queries using techniques like SQL injection within these vulnerable input fields.
The Django application, without proper input sanitization, executes the attacker-controlled SQL query against the underlying database.
Depending on the specific vulnerability and database permissions, the attacker may extract sensitive data, such as user credentials, financial information, or internal application data.
The attacker may also modify database records to escalate privileges or manipulate application behavior.
By exploiting vulnerabilities that cause excessive resource consumption, the attacker can trigger a denial-of-service condition, rendering the application unavailable to legitimate users.
The attacker exfiltrates the gathered information or uses the compromised application for further malicious activities.

Impact

Successful exploitation of these Django vulnerabilities can lead to significant data breaches, compromising sensitive user data and intellectual property. Affected organizations could face financial losses due to regulatory fines, legal liabilities, and reputational damage. A denial-of-service condition can disrupt business operations and damage customer trust. The number of affected organizations is potentially large, given the widespread use of the Django framework in web application development.

Recommendation

Deploy the Sigma rule to detect potential SQL injection attempts targeting Django applications, focusing on webserver logs and HTTP request parameters.
Implement strong input validation and sanitization measures within Django applications to prevent SQL injection vulnerabilities (reference: overview).
Monitor web server logs for unusual activity patterns, such as large numbers of requests from a single IP address, which could indicate a denial-of-service attack (reference: attack chain step 7).
Regularly audit Django applications for security vulnerabilities and apply necessary patches and updates (reference: overview).
Consider using a web application firewall (WAF) to filter out malicious requests and protect against common web application attacks (reference: overview).

itsourcecode Payroll Management System 1.0 SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 01 Apr 2026 00:16:02 +0000

itsourcecode Payroll Management System 1.0 is vulnerable to SQL injection in the /view_employee.php script. This vulnerability, identified as CVE-2026-5238, allows a remote attacker to inject arbitrary SQL commands by manipulating the ID parameter. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion within the payroll database. This poses a significant threat to organizations using the affected software, potentially compromising sensitive employee information. Defenders need to implement immediate mitigation strategies to prevent potential attacks.

Attack Chain

Attacker identifies an instance of itsourcecode Payroll Management System 1.0.
Attacker crafts a malicious SQL injection payload targeting the ID parameter in the /view_employee.php file.
The attacker sends an HTTP GET or POST request to /view_employee.php with the crafted SQL injection payload in the ID parameter (e.g., /view_employee.php?ID=1' UNION SELECT ...).
The application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL command, potentially returning sensitive data or allowing data modification.
The attacker retrieves sensitive data from the database, such as employee usernames, passwords, social security numbers, and salary information.
The attacker may further escalate the attack by modifying or deleting data within the payroll system.
The attacker achieves complete control over the payroll database, potentially leading to financial fraud or data breaches.

Impact

Successful exploitation of this SQL injection vulnerability allows attackers to access and manipulate sensitive payroll data. This could lead to data breaches, financial fraud, and reputational damage. The impact includes unauthorized access to employee personal information, modification of payroll records, and potential theft of funds. Given the public availability of exploits, organizations using itsourcecode Payroll Management System 1.0 are at immediate risk. The vulnerability could impact any organization using this software.

Recommendation

Inspect web server logs for suspicious requests to /view_employee.php containing SQL syntax in the ID parameter and deploy the Sigma rule.
Apply input validation and sanitization to the ID parameter in /view_employee.php to prevent SQL injection, as indicated by CVE-2026-5238.
Monitor network traffic for unusual database activity originating from the web server and deploy the Sigma rule.
Deploy the provided Sigma rule to detect exploitation attempts and tune it to your environment.
Apply web application firewall (WAF) rules to block known SQL injection attack patterns.

SQL Injection Vulnerability in itsourcecode Payroll Management System 1.0 (CVE-2026-5237)

hello@craftedsignal.io — Tue, 31 Mar 2026 23:17:11 +0000

itsourcecode Payroll Management System 1.0 is vulnerable to SQL injection, specifically within the /manage_user.php file. The vulnerability, identified as CVE-2026-5237, stems from improper sanitization of the ID parameter. A remote attacker can exploit this flaw to inject arbitrary SQL commands into the application’s database queries. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability allows attackers to potentially compromise the entire database.

Attack Chain

The attacker identifies an instance of itsourcecode Payroll Management System 1.0.
The attacker crafts a malicious HTTP request targeting the /manage_user.php file.
The attacker injects SQL code into the ID parameter within the crafted HTTP request.
The web server passes the tainted ID parameter to the vulnerable SQL query without proper sanitization.
The injected SQL code is executed against the database.
The attacker gains unauthorized access to sensitive data within the database, such as user credentials or payroll information.
The attacker can modify or delete data within the database.

Impact

Successful exploitation of this vulnerability can lead to the complete compromise of the itsourcecode Payroll Management System 1.0 database. An attacker could potentially gain access to sensitive payroll data, including employee names, addresses, social security numbers, and financial information. This data could be used for identity theft, financial fraud, or other malicious purposes. The vulnerability also allows for data modification or deletion, potentially disrupting payroll operations.

Recommendation

Inspect web server logs for requests to /manage_user.php containing suspicious characters or SQL keywords in the ID parameter to detect potential exploitation attempts (see rule: “Detect SQL Injection Attempts via URI”).
Monitor web server error logs for SQL errors that may indicate successful or attempted SQL injection (see rule: “Detect SQL Errors”).
Apply appropriate input validation and sanitization techniques to the ID parameter in the /manage_user.php file to prevent SQL injection attacks.

SQL Injection Vulnerability in Student Membership System 1.0

hello@craftedsignal.io — Tue, 31 Mar 2026 12:16:31 +0000

A SQL injection vulnerability, identified as CVE-2026-5198, exists within the code-projects Student Membership System version 1.0. Specifically, the vulnerability lies within the Admin Login component’s /admin/index.php file. Attackers can remotely exploit this vulnerability by manipulating the username and password parameters, leading to arbitrary SQL command execution. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a…

code-projects Student Membership System SQL Injection Vulnerability (CVE-2026-5195)

hello@craftedsignal.io — Tue, 31 Mar 2026 09:18:57 +0000

A SQL injection vulnerability, identified as CVE-2026-5195, has been discovered in code-projects Student Membership System version 1.0. The vulnerability specifically affects the “User Registration Handler” component. An attacker can remotely exploit this flaw by manipulating input to execute arbitrary SQL queries. This vulnerability could allow an attacker to read, modify, or delete sensitive data within the application’s database. The base CVSS v3.1 score is 7.3, indicating a high severity…

SQL Injection Vulnerability in SourceCodester Simple Doctors Appointment System 1.0 (CVE-2026-5180)

hello@craftedsignal.io — Tue, 31 Mar 2026 05:16:12 +0000

SourceCodester Simple Doctors Appointment System 1.0 is vulnerable to SQL Injection (CVE-2026-5180). The vulnerability is located in the /admin/ajax.php?action=login2 endpoint, specifically the email parameter. A remote attacker can inject arbitrary SQL commands by manipulating this parameter. The vulnerability has been confirmed and an exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation can lead to unauthorized data access, modification…

SQL Injection Vulnerability in SourceCodester Simple Doctors Appointment System 1.0 (CVE-2026-5179)

hello@craftedsignal.io — Tue, 31 Mar 2026 05:16:11 +0000

SourceCodester Simple Doctors Appointment System 1.0 is vulnerable to SQL injection. The vulnerability, identified as CVE-2026-5179, resides in the /admin/login.php file. An attacker can remotely exploit this vulnerability by manipulating the Username argument, injecting malicious SQL commands into the application’s database queries. The vulnerability was published on March 31, 2026, and a public exploit is available, increasing the risk of exploitation. This vulnerability could allow attackers…

SciTokens KeyCache SQL Injection Vulnerability (CVE-2026-32714)

hello@craftedsignal.io — Tue, 31 Mar 2026 03:15:55 +0000

SciTokens is a reference library for generating and using SciTokens. A critical SQL injection vulnerability, identified as CVE-2026-32714, affects SciTokens versions prior to 1.9.6. The vulnerability resides within the KeyCache class, which improperly utilizes Python’s str.format() to construct SQL queries. This allows an attacker to inject arbitrary SQL commands by manipulating user-supplied data, such as the issuer and key_id parameters, during interactions with the local SQLite…

SQL Injection Vulnerability in code-projects Accounting System 1.0 (CVE-2026-5150)

hello@craftedsignal.io — Mon, 30 Mar 2026 20:16:24 +0000

A critical security vulnerability, identified as CVE-2026-5150, has been discovered in code-projects Accounting System version 1.0. The vulnerability resides within the Parameter Handler component, specifically affecting the ‘/viewin_costumer.php’ file. By maliciously manipulating the ‘cos_id’ argument, a remote attacker can inject arbitrary SQL commands into the application’s database queries. Given the public disclosure of this exploit, the risk of exploitation is elevated. Successful…

YunaiV yudao-cloud SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 30 Mar 2026 19:16:27 +0000

A security flaw, identified as CVE-2026-5147, has been discovered in YunaiV yudao-cloud software, specifically versions up to 2026.01. The vulnerability resides in the /admin-api/system/tenant/get-by-website endpoint, where manipulation of the Website argument can lead to SQL injection. This allows for potential remote exploitation without requiring authentication. The vulnerability was reported to the vendor, but no response or patch has been provided. Publicly available exploit code…

Multiple Vulnerabilities in Fleet

hello@craftedsignal.io — Mon, 30 Mar 2026 11:08:57 +0000

Multiple vulnerabilities have been identified in Fleet, a device management platform. These vulnerabilities, if exploited, could allow an attacker to perform a range of malicious activities, including SQL injection attacks, denial-of-service (DoS) attacks, bypassing security measures, disclosing sensitive information, and ultimately executing arbitrary program code with administrator privileges. Successful exploitation poses a significant risk to the confidentiality, integrity, and availability of systems managed by Fleet. Defenders should prioritize patching and implementing detection measures to mitigate the risk associated with these vulnerabilities. This threat affects all versions of Fleet.

Attack Chain

Attacker identifies a vulnerable endpoint in the Fleet application susceptible to SQL injection.
The attacker crafts a malicious SQL query designed to extract sensitive data from the Fleet database.
The attacker injects the malicious SQL query into the vulnerable endpoint, bypassing input validation.
The Fleet application executes the injected SQL query, inadvertently disclosing sensitive information such as user credentials and system configurations.
Alternatively, the attacker crafts a different SQL injection payload to modify database records, potentially granting themselves administrative privileges.
With elevated privileges, the attacker uploads and executes a malicious payload on the Fleet server.
The attacker leverages their access to install persistent backdoors and expand their reach within the network.
The attacker uses their foothold to disrupt the normal operations of the Fleet server causing a denial-of-service.

Impact

Successful exploitation of these vulnerabilities can have severe consequences. An attacker could gain complete control over the Fleet server, leading to data breaches, system outages, and the compromise of managed devices. The impact includes potential loss of sensitive data, disruption of critical services, and reputational damage. The attacker’s ability to execute arbitrary code with administrator privileges allows them to perform virtually any action on the affected system.

Recommendation

Deploy the Sigma rule Detect Suspicious Fleet Processes to identify potentially malicious processes spawned by Fleet.
Inspect web server logs for SQL injection attempts targeting the Fleet application using the Detect Fleet SQL Injection Attempts Sigma rule.
Monitor network connections originating from Fleet servers for unusual activity, especially outbound connections to unexpected destinations.
Implement strict input validation and sanitization measures to prevent SQL injection attacks, addressing the vulnerability at its root.

Multiple Vulnerabilities in Dovecot Mail Server

hello@craftedsignal.io — Mon, 30 Mar 2026 10:14:10 +0000

Multiple vulnerabilities have been identified in the Dovecot mail server software. An attacker can leverage these flaws to execute SQL injection attacks, potentially gaining unauthorized access to the underlying database. Furthermore, successful exploitation could lead to bypassing authentication mechanisms, allowing unauthorized access to mailboxes and sensitive information. The vulnerabilities also pose a risk of sensitive information disclosure and denial-of-service (DoS) conditions, disrupting mail services. The broad functionality affected by these flaws makes it a high-priority issue for organizations using Dovecot.

Attack Chain

An attacker identifies a vulnerable Dovecot instance accessible over the network.
The attacker crafts a malicious input string designed to exploit a SQL injection vulnerability in Dovecot’s authentication or user management modules.
The attacker submits the crafted input to a Dovecot service, such as IMAP or POP3, during the authentication process.
If the SQL injection is successful, the attacker gains unauthorized access to the Dovecot database.
The attacker uses the database access to extract user credentials or modify authentication settings.
Alternatively, the attacker exploits the SQL injection to disclose sensitive configuration data or internal system information.
If authentication bypass is successful, the attacker logs into a targeted user’s mailbox without valid credentials.
The attacker causes a denial-of-service condition by sending malformed requests that crash the Dovecot server.

Impact

Successful exploitation of these vulnerabilities could lead to complete compromise of the Dovecot server and the data it manages. This includes unauthorized access to user mailboxes, disclosure of sensitive information, and disruption of email services. The impact ranges from data breaches and loss of confidentiality to service outages and reputational damage. The severity depends on the specific vulnerability exploited and the configuration of the Dovecot instance.

Recommendation

Closely monitor Dovecot logs for suspicious SQL-related errors or authentication failures (reference: description of SQL injection vulnerability).
Implement strict input validation and sanitization measures to mitigate potential SQL injection attacks within Dovecot configurations.
Since the advisory does not list specific log sources, enable verbose logging for Dovecot services to capture detailed information about authentication attempts and database interactions.

SQL Injection Vulnerability in Simple Food Order System 1.0

hello@craftedsignal.io — Sat, 28 Mar 2026 23:16:44 +0000

A SQL injection vulnerability has been identified in the code-projects Simple Food Order System version 1.0. The vulnerability resides within the register-router.php file, specifically affecting the handling of the ‘Name’ argument. An attacker can remotely exploit this weakness by manipulating the ‘Name’ parameter, leading to arbitrary SQL execution. Given the public availability of exploit code, the risk of active exploitation is elevated. This vulnerability is particularly concerning as it could allow attackers to compromise the application’s database, potentially leading to data theft, modification, or complete system takeover. Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the backend database.

Attack Chain

An attacker identifies a vulnerable Simple Food Order System 1.0 instance exposed to the internet.
The attacker crafts a malicious HTTP request targeting the register-router.php endpoint.
Within the request, the attacker injects SQL code into the Name parameter.
The application fails to properly sanitize the injected SQL code, passing it directly to the database.
The database executes the malicious SQL query, potentially allowing the attacker to bypass authentication or access sensitive data.
The attacker retrieves sensitive information from the database, such as user credentials or order details.
Using the stolen credentials, the attacker gains unauthorized access to the application’s administrative panel.
The attacker modifies data within the database, disrupting services or exfiltrating sensitive information.

Impact

Successful exploitation of this SQL injection vulnerability can have significant consequences. Attackers could gain unauthorized access to sensitive customer data, including personal information and financial details. This data could be used for identity theft, fraud, or sold on the dark web. The compromise of the database could also lead to data corruption, service disruption, or complete system takeover. Given the ease of exploitation, a large number of installations are potentially at risk.

Recommendation

Apply appropriate input validation and sanitization to the Name parameter in register-router.php to prevent SQL injection attacks.
Deploy the Sigma rule Detect Suspicious SQL Injection Attempts to monitor for exploitation attempts targeting this vulnerability.
Monitor web server logs for suspicious requests containing SQL syntax targeting the register-router.php endpoint (webserver log source).
Review and harden database server configurations to prevent unauthorized access.
Consider implementing a web application firewall (WAF) to filter out malicious requests.

code-projects Simple Food Order System SQL Injection Vulnerability (CVE-2026-5017)

hello@craftedsignal.io — Sat, 28 Mar 2026 23:16:43 +0000

A SQL injection vulnerability, identified as CVE-2026-5017, affects code-projects Simple Food Order System version 1.0. This vulnerability resides within the /all-tickets.php file, specifically in how the application handles the ‘Status’ parameter. A remote attacker can exploit this flaw by crafting malicious SQL queries via the ‘Status’ argument, potentially leading to unauthorized data access, modification, or complete system compromise. The vulnerability has been publicly disclosed…

SQL Injection Vulnerability in Sinaptik AI PandasAI lancedb Extension

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:04 +0000

A SQL injection vulnerability has been identified in Sinaptik AI PandasAI versions up to 0.1.4. This vulnerability resides within the pandasai-lancedb Extension, specifically affecting the delete_question_and_answers, delete_docs, update_question_answer, update_docs, get_relevant_question_answers_by_id, and get_relevant_docs_by_id functions within the lancedb.py file. The vulnerability allows for remote exploitation, potentially enabling attackers to execute arbitrary SQL queries against the underlying database. A public exploit is available, increasing the risk of widespread exploitation. The vendor was contacted regarding this vulnerability but did not respond.

Attack Chain

An attacker identifies a PandasAI application using a vulnerable version (<= 0.1.4) with the lancedb extension enabled.
The attacker crafts a malicious HTTP request targeting one of the vulnerable functions: delete_question_and_answers, delete_docs, update_question_answer, update_docs, get_relevant_question_answers_by_id, or get_relevant_docs_by_id.
The malicious request injects SQL code into parameters intended for legitimate database queries.
The PandasAI application’s lancedb extension processes the request without proper sanitization or parameterization.
The injected SQL code is executed by the underlying database, modifying, deleting, or extracting sensitive data.
The attacker leverages the SQL injection to potentially escalate privileges within the database server.
The attacker can then use the escalated privileges to access other parts of the application or the underlying system.
The attacker exfiltrates sensitive data or compromises the integrity of the application and its data.

Impact

Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data, data modification, or even complete database compromise. Depending on the application’s function, this could result in exposure of personal information, financial data, or intellectual property. The availability of a public exploit increases the likelihood of widespread attacks. Without remediation, any application using a vulnerable version of PandasAI with the lancedb extension is at risk.

Recommendation

Upgrade PandasAI to a version greater than 0.1.4 to patch the SQL injection vulnerability (CVE-2026-4996).
Implement input validation and sanitization measures on all user-supplied data to prevent SQL injection attacks targeting webserver logs.
Deploy the Sigma rule Detect Potential PandasAI SQL Injection Attempts to your SIEM to detect exploitation attempts.

WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-33991)

hello@craftedsignal.io — Fri, 27 Mar 2026 23:17:13 +0000

WeGIA, a web manager for charitable institutions, is susceptible to SQL injection in versions prior to 3.6.7. The vulnerability resides in the html/socio/sistema/deletar_tag.php file, where the application uses extract($_REQUEST) on line 14 and directly concatenates the $id_tag variable into SQL queries on lines 16-17. This occurs without proper sanitization or the use of prepared statements. The lack of input validation allows attackers to inject arbitrary SQL commands, potentially…

Shenzhen Ruiming Technology Streamax Crocus bis SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 27 Mar 2026 04:16:08 +0000

A SQL injection vulnerability, identified as CVE-2026-4910, affects Shenzhen Ruiming Technology Streamax Crocus bis version 1.3.44. The vulnerability is located within the /RemoteFormat.do file, specifically the Endpoint component. By manipulating the State argument, a remote attacker can inject arbitrary SQL commands. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified but did not respond. Successful exploitation could lead to unauthorized data…

Ory Kratos SQL Injection Vulnerability in ListCourierMessages API

hello@craftedsignal.io — Thu, 26 Mar 2026 18:16:30 +0000

Ory Kratos, an identity, user management, and authentication system for cloud services, is vulnerable to SQL injection in versions prior to 26.2.0. The vulnerability resides within the ListCourierMessages Admin API and stems from flaws in its pagination implementation. The pagination tokens are encrypted using a secret configured in secrets.pagination. Attackers who obtain this secret can forge malicious tokens, leading to SQL injection attacks. Critically, if this configuration value remains unset, Kratos defaults to a publicly known pagination encryption secret. This allows attackers to manually generate valid malicious pagination tokens for vulnerable installations. Defenders should immediately configure a custom value for secrets.pagination using a cryptographically secure random secret and upgrade Kratos to version 26.2.0 or later.

Attack Chain

Attacker identifies an Ory Kratos instance running a version prior to 26.2.0.
Attacker checks the Kratos configuration to determine if secrets.pagination is set.
If secrets.pagination is not set, the attacker leverages the publicly known default pagination encryption secret.
The attacker crafts a malicious pagination token containing SQL injection payloads. This token exploits the vulnerable pagination logic in the ListCourierMessages API.
Attacker sends a request to the /admin/courier/messages endpoint with the crafted pagination token in the page_token parameter.
The Kratos application processes the malicious token, leading to the execution of arbitrary SQL queries against the underlying database.
The SQL injection allows the attacker to potentially read, modify, or delete sensitive data within the Kratos database, including user credentials, configuration settings, or other confidential information.
The attacker may use the compromised data for further attacks, such as account takeover or privilege escalation.

Impact

Successful exploitation of this SQL injection vulnerability can lead to complete compromise of the Ory Kratos instance. This can result in unauthorized access to user accounts, disclosure of sensitive information, and potential data manipulation or deletion. The severity is high due to the potential for significant data breach and service disruption impacting all users managed by the compromised Kratos instance. The number of victims depends on the size and user base of the affected Ory Kratos deployment.

Recommendation

Immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret within your Ory Kratos configuration (reference: Overview section).
Upgrade Ory Kratos to version 26.2.0 or later to patch the SQL injection vulnerability (reference: Overview section).
Monitor web server logs for suspicious requests to the /admin/courier/messages endpoint containing unusually long or malformed page_token parameters (create a custom rule based on this behavior).
Implement a Web Application Firewall (WAF) rule to block requests with suspicious SQL syntax in the page_token parameter targeting the /admin/courier/messages endpoint.

Kysely SQL Injection Vulnerability (CVE-2026-33468)

hello@craftedsignal.io — Thu, 26 Mar 2026 17:16:41 +0000

Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the DefaultQueryCompiler.sanitizeStringLiteral() function’s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect’s default setting where NO_BACKSLASH_ESCAPES is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…

SQL Injection Vulnerability in Kysely TypeScript Library (CVE-2026-33442)

hello@craftedsignal.io — Thu, 26 Mar 2026 17:16:40 +0000

Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability identified as CVE-2026-33442. The vulnerability resides in the sanitizeStringLiteral method of the query compiler within versions 0.28.12 and 0.28.13. The method inadequately handles backslashes, failing to escape them, while properly escaping single quotes. On MySQL servers configured with the default BACKSLASH_ESCAPES SQL mode enabled, this oversight allows an attacker to inject a backslash…

HCL Aftermarket DPC SQL Injection Vulnerability (CVE-2025-55262)

hello@craftedsignal.io — Thu, 26 Mar 2026 14:16:07 +0000

A SQL Injection vulnerability, identified as CVE-2025-55262, affects HCL Aftermarket DPC. This vulnerability allows an attacker to inject malicious SQL code into input fields, which can then be executed by the database. Successful exploitation could lead to the retrieval of sensitive information from the database, potentially exposing user credentials, financial data, or other confidential information. The vulnerability was reported by HCL Software and has a CVSS v3.1 score of 8.3, indicating a…

Online Quiz Maker 1.0 SQL Injection Vulnerability (CVE-2018-25207)

hello@craftedsignal.io — Thu, 26 Mar 2026 12:16:05 +0000

Online Quiz Maker 1.0 is susceptible to SQL injection vulnerabilities, specifically identified as CVE-2018-25207. The vulnerability resides in the catid and usern parameters, which can be exploited by an authenticated attacker to inject arbitrary SQL commands. The attack vector involves crafting malicious POST requests to either quiz-system.php or add-category.php. Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in the database…

ASP.NET jVideo Kit 1.0 SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 12:16:05 +0000

ASP.NET jVideo Kit 1.0 is susceptible to an SQL injection vulnerability (CVE-2018-25205) affecting its search functionality. This vulnerability enables unauthenticated attackers to inject arbitrary SQL commands by manipulating the ‘query’ parameter. The attack can be carried out via both GET and POST requests directed towards the /search endpoint. Successful exploitation allows attackers to perform boolean-based blind or error-based SQL injection techniques, potentially leading to the extraction of sensitive database information. This vulnerability was published on March 26, 2026. Defenders should prioritize patching or mitigating this vulnerability to prevent unauthorized access to sensitive data.

Attack Chain

An unauthenticated attacker identifies an ASP.NET jVideo Kit 1.0 instance.
The attacker crafts a malicious SQL payload designed to exploit the ‘query’ parameter in the /search endpoint.
The attacker sends a GET or POST request to the /search endpoint with the crafted SQL payload embedded in the query parameter.
The ASP.NET application fails to properly sanitize the input from the query parameter before using it in a database query.
The malicious SQL payload is executed against the database.
Depending on the SQL injection technique (boolean-based blind, error-based), the attacker infers information about the database structure and data.
The attacker refines the SQL payloads to extract sensitive data, such as usernames, passwords, or other confidential information.
The attacker exfiltrates the extracted data for malicious purposes.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2018-25205) allows unauthenticated attackers to extract sensitive information from the affected ASP.NET jVideo Kit 1.0 database. The number of affected installations is unknown, but the vulnerability could lead to data breaches, compromise of user accounts, and potential reputational damage to organizations using the vulnerable software. The affected software is a video sharing script, making content websites a key target.

Recommendation

Apply available patches or updates for ASP.NET jVideo Kit 1.0 to address CVE-2018-25205.
Implement input validation and sanitization measures to prevent SQL injection attacks against the /search endpoint, focusing on the ‘query’ parameter.
Deploy the following Sigma rule to detect exploitation attempts targeting the /search endpoint with potentially malicious SQL queries.

School Management System CMS 1.0 SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 12:16:04 +0000

School Management System CMS 1.0 is vulnerable to SQL injection affecting the admin login functionality. Disclosed in March 2026, the vulnerability allows unauthenticated attackers to bypass the login mechanism and gain administrative access by injecting malicious SQL code into the username parameter of the processlogin endpoint. The vulnerability stems from improper sanitization of user-supplied input, enabling boolean-based blind SQL injection. Successful exploitation grants full administrative privileges, potentially leading to data breaches, system compromise, and unauthorized modification of sensitive information. Given the sensitive nature of school management data, this vulnerability poses a significant risk to organizations using the affected software.

Attack Chain

The attacker identifies a School Management System CMS 1.0 instance accessible over the network.
The attacker navigates to the admin login page and identifies the vulnerable username parameter in the login form.
The attacker crafts a malicious SQL injection payload designed for boolean-based blind SQL injection.
The attacker sends the crafted payload to the /processlogin endpoint via a POST request through the username parameter.
The application processes the SQL injection, executing attacker-controlled SQL code against the database.
Based on the application’s response (e.g., successful login), the attacker refines the payload to extract sensitive information or bypass authentication.
The attacker successfully authenticates as an administrator without valid credentials.
The attacker accesses administrative functionalities, potentially leading to data exfiltration, modification, or system compromise.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2018-25201) could lead to full compromise of the School Management System CMS 1.0 instance. Attackers could gain unauthorized access to student records, financial data, and other sensitive information. Observed damage includes potential data breaches, defacement of the system, and complete loss of confidentiality, integrity, and availability. Due to the sensitive nature of data handled by school management systems, this vulnerability has a critical impact.

Recommendation

Apply available patches or upgrades to School Management System CMS 1.0 to address CVE-2018-25201.
Deploy the Sigma rules provided to detect exploitation attempts against the /processlogin endpoint.
Implement input validation and sanitization on all user-supplied data, especially the username parameter, to prevent SQL injection attacks.
Monitor web server logs for suspicious POST requests to the /processlogin endpoint containing SQL injection payloads.
Conduct regular security audits and penetration testing to identify and remediate vulnerabilities in School Management System CMS 1.0.

code-projects Online Food Ordering System SQL Injection Vulnerability (CVE-2026-4844)

hello@craftedsignal.io — Thu, 26 Mar 2026 05:16:41 +0000

A SQL injection vulnerability, identified as CVE-2026-4844, affects the code-projects Online Food Ordering System version 1.0. Specifically, the vulnerability resides within the Admin Login Module and is triggered by manipulating the Username argument when processing the /admin.php file. This allows a remote attacker to inject arbitrary SQL commands. Public exploits are available, increasing the risk of exploitation. Successful exploitation can lead to unauthorized access to the database…

OpenCart Core SQL Injection Vulnerability (CVE-2024-58341)

hello@craftedsignal.io — Wed, 25 Mar 2026 16:16:07 +0000

OpenCart Core 4.0.2.3 is susceptible to a SQL injection vulnerability that allows unauthenticated remote attackers to inject arbitrary SQL commands through the ‘search’ parameter. The vulnerability, identified as CVE-2024-58341, allows attackers to craft malicious GET requests to the product search endpoint, potentially leading to the extraction of sensitive database information. The attack relies on the injection of SQL code within the ‘search’ parameter, exploiting the lack of proper input…

SourceCodester Online Catering Reservation SQL Injection Vulnerability (CVE-2026-4615)

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

SourceCodester Online Catering Reservation 1.0 is vulnerable to SQL injection, as identified by CVE-2026-4615. The vulnerability resides within the /search.php file and can be triggered by manipulating the rcode argument. This allows a remote attacker to inject arbitrary SQL queries into the application’s database, potentially leading to data breaches, modification of data, or complete compromise of the database server. The vulnerability was reported on March 23, 2026, and a public exploit…

SQL Injection Vulnerability in Free Hotel Reservation System 1.0

hello@craftedsignal.io — Tue, 24 Mar 2026 14:00:00 +0000

The itsourcecode Free Hotel Reservation System 1.0 is vulnerable to SQL injection (CVE-2026-4612). The vulnerability resides in the Parameter Handler component, specifically affecting the /hotel/admin/mod_users/index.php script. By manipulating the account_id parameter, a remote attacker can inject arbitrary SQL commands into the application’s database queries. The vulnerability was reported in March 2026 and has a CVSS v3.1 score of 7.3 (HIGH). Publicly available exploit code increases the…

eNdonesia Portal v8.7 SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:06 +0000

eNdonesia Portal v8.7 is susceptible to SQL injection vulnerabilities. Unauthenticated attackers can exploit this flaw by injecting malicious SQL code through the bid parameter in the banners.php script. The vulnerability allows attackers to execute arbitrary SQL queries against the application’s database. Successful exploitation could lead to the unauthorized extraction of sensitive information, including database schema details from INFORMATION_SCHEMA tables. This vulnerability, identified as CVE-2019-25643, poses a significant risk due to the ease of exploitation and the potential for extensive data compromise. The vulnerability was reported on March 24, 2026.

Attack Chain

An unauthenticated attacker identifies an eNdonesia Portal v8.7 instance.
The attacker crafts a malicious SQL payload designed to extract data from the INFORMATION_SCHEMA tables.
The attacker constructs a GET request targeting banners.php.
The crafted SQL payload is injected into the bid parameter of the GET request: banners.php?bid=.
The web server processes the request and executes the injected SQL query against the database.
The database returns the results of the SQL query, potentially including sensitive data or schema information.
The attacker receives the database response containing the extracted information.
The attacker analyzes the extracted information to further compromise the system or exfiltrate sensitive data.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive data, including user credentials, financial information, and other confidential data stored in the eNdonesia Portal v8.7 database. The impact could range from defacement of the website to complete compromise of the underlying database server. Although the number of affected installations is unknown, any instance of eNdonesia Portal v8.7 is potentially vulnerable.

Recommendation

Deploy the Sigma rule Detecting eNdonesia banners.php SQL Injection Attempt to your SIEM to identify exploitation attempts targeting the banners.php endpoint.
Examine web server logs for GET requests to banners.php containing suspicious SQL syntax within the bid parameter (reference the log source in the Sigma rule).
Apply available patches or updates for eNdonesia Portal v8.7 to remediate the CVE-2019-25643 vulnerability.

Bootstrapy CMS Unauthenticated SQL Injection Vulnerabilities

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:06 +0000

Bootstrapy CMS is vulnerable to multiple SQL injection vulnerabilities (CVE-2019-25642). These vulnerabilities allow unauthenticated attackers to execute arbitrary SQL queries. The attack vector involves injecting malicious SQL code via POST parameters in specific PHP files: forum-thread.php, contact-submit.php, and post-new-submit.php. Successful exploitation can lead to sensitive database information disclosure or a denial-of-service condition. The identified vulnerabilities exist in the latest version of Bootstrapy CMS as of March 2026, and the exploitation does not require any authentication. This poses a significant threat to organizations using this CMS.

Attack Chain

An unauthenticated attacker identifies a Bootstrapy CMS instance.
The attacker crafts a malicious HTTP POST request targeting one of the vulnerable PHP files: forum-thread.php, contact-submit.php, or post-new-submit.php.
The attacker injects a SQL payload into the thread_id parameter of forum-thread.php, the subject parameter of contact-submit.php, or the post-id parameter of post-new-submit.php.
The web server processes the request, passing the injected SQL payload to the database.
The database executes the malicious SQL query, potentially allowing the attacker to read sensitive data.
The attacker retrieves sensitive data from the database, such as user credentials, configuration settings, or other confidential information.
Alternatively, the attacker injects a SQL payload designed to cause a denial-of-service condition by consuming excessive database resources.
The attacker disrupts the availability of the Bootstrapy CMS instance.

Impact

Successful exploitation of these SQL injection vulnerabilities can lead to the complete compromise of the Bootstrapy CMS database. This may include the theft of sensitive user data, modification of website content, or complete denial of service. The impact is high because it affects the confidentiality, integrity, and availability of the application and its data. The number of affected installations is unknown, but any organization running a vulnerable version of Bootstrapy CMS is at risk.

Recommendation

Inspect web server logs for HTTP POST requests to forum-thread.php, contact-submit.php, and post-new-submit.php containing suspicious SQL syntax in the thread_id, subject, or post-id parameters, as covered by the Sigma rules below.
Apply available patches from the vendor to remediate CVE-2019-25642.
Block access to the known exploit URLs in the IOC list at your web application firewall (WAF).
Implement input validation and sanitization for all user-supplied data to prevent SQL injection attacks.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Inout Article Base CMS SQL Injection Vulnerability (CVE-2019-25640)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:05 +0000

Inout Article Base CMS is susceptible to SQL injection vulnerabilities (CVE-2019-25640). Unauthenticated attackers can exploit these vulnerabilities by manipulating database queries via the ‘p’ and ‘u’ parameters in GET requests to the portalLogin.php script. The attack leverages XOR-based SQL injection payloads. Successful exploitation can allow attackers to extract sensitive database information or cause a denial of service through time-based attacks. This vulnerability poses a significant…

Zeeways Matrimony CMS Unauthenticated SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:04 +0000

Zeeways Matrimony CMS is susceptible to SQL injection vulnerabilities affecting the profile_list endpoint. This vulnerability allows unauthenticated attackers to inject malicious SQL code through the up_cast, s_mother, and s_religion parameters. Successful exploitation could lead to unauthorized access to sensitive data within the database. The vulnerability was reported in CVE-2019-25635. The vulnerable software is Zeeways Matrimony CMS, and it’s crucial for organizations using this CMS to apply necessary patches or mitigations to prevent potential data breaches. Defenders should prioritize monitoring web server logs for suspicious activity targeting these specific parameters and the profile_list endpoint.

Attack Chain

An unauthenticated attacker identifies a Zeeways Matrimony CMS instance.
The attacker crafts a malicious HTTP GET or POST request targeting the profile_list endpoint.
The attacker injects SQL code into the up_cast, s_mother, or s_religion parameters of the HTTP request.
The web server processes the request and executes the injected SQL code against the database.
Depending on the injected SQL, the attacker can extract sensitive information from the database, such as user credentials or personal details, using time-based or error-based techniques.
The attacker analyzes the extracted data to identify valuable information.
The attacker may use the extracted credentials to further compromise the system or access other resources.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a full database compromise, potentially exposing sensitive user data including personal information, credentials, and financial details. This can result in significant reputational damage, financial losses due to regulatory fines, and legal repercussions for organizations using the vulnerable Zeeways Matrimony CMS. The impact is high due to the ease of exploitation (unauthenticated) and the potential for complete data exfiltration.

Recommendation

Inspect web server logs for suspicious HTTP requests targeting the /profile_list endpoint with SQL injection attempts in the up_cast, s_mother, and s_religion parameters (see IOC table and enable webserver logging).
Apply available patches or updates for Zeeways Matrimony CMS to address CVE-2019-25635.
Deploy the Sigma rule provided to detect exploitation attempts targeting the specified parameters in the URL.
Implement input validation and sanitization for all user-supplied data, especially for parameters used in database queries to prevent future SQL injection vulnerabilities.

Zeeways Jobsite CMS SQL Injection Vulnerability (CVE-2019-25636)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:04 +0000

Zeeways Jobsite CMS is vulnerable to SQL injection (CVE-2019-25636). This vulnerability allows unauthenticated attackers to inject arbitrary SQL code into database queries via the ‘id’ GET parameter. The vulnerability affects the news_details.php, jobs_details.php, and job_cmp_details.php files. By sending crafted HTTP requests with malicious ‘id’ parameter values, attackers can manipulate database queries using techniques like GROUP BY and CASE statements. The initial report was published…

Meeplace Business Review Script SQL Injection Vulnerability (CVE-2019-25638)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:04 +0000

Meeplace Business Review Script is susceptible to an SQL injection vulnerability (CVE-2019-25638) affecting the addclick.php endpoint. Unauthenticated attackers can exploit this vulnerability by injecting malicious SQL code through the ‘id’ parameter in GET requests. This can lead to the execution of arbitrary SQL queries, potentially enabling attackers to retrieve sensitive database information or trigger a denial-of-service condition. The vulnerability was published on 2026-03-24 and poses a…

WP Job Portal Plugin SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

The WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the ‘radius’ parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application’s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.
The attacker appends a SQL injection payload to the ‘radius’ parameter within the HTTP request.
The vulnerable plugin receives the request and incorporates the unsanitized ‘radius’ parameter into an SQL query within includes/ajax.php or modules/job/model.php.
The injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.
The attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.
The extracted data may be exfiltrated from the server using various techniques.
The attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.

Recommendation

Upgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).
Deploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the ‘radius’ parameter in WordPress plugins.
Enable detailed logging for your web server (category “webserver”, product “linux|windows”) to monitor for suspicious activity and potential exploitation attempts.

SourceCodester Online Library Management System SQL Injection Vulnerability (CVE-2026-4624)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

A SQL injection vulnerability, identified as CVE-2026-4624, affects SourceCodester Online Library Management System version 1.0. The vulnerability resides within the /home.php file, specifically in the parameter handler component. By manipulating the searchField argument, an attacker can inject malicious SQL code. The attack is remotely exploitable, meaning that an attacker does not need local access to the server. Given the public availability of the exploit, organizations using the…