{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sqli/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4062"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin \u003c= 1.13.18"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the \u0026lsquo;object_ids\u0026rsquo; and \u0026rsquo;exclude_object_ids\u0026rsquo; parameters. Insufficient escaping of user-supplied input, specifically within the \u003ccode\u003eIN(...)\u003c/code\u003e and \u003ccode\u003eNOT IN(...)\u003c/code\u003e SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted \u003ccode\u003eIN(...)\u003c/code\u003e / \u003ccode\u003eNOT IN(...)\u003c/code\u003e context. A numeric-only sanitizer exists in \u003ccode\u003esanitize_query_args()\u003c/code\u003e, but this is only applied in the AJAX code path and not in the \u003ccode\u003erender-map.php\u003c/code\u003e or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based SQL injection payload into the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameter. This payload leverages SQL functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays based on conditional SQL logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code due to the ineffective \u003ccode\u003eesc_sql()\u003c/code\u003e function in the \u003ccode\u003eIN\u003c/code\u003e/\u003ccode\u003eNOT IN\u003c/code\u003e context.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.\u003c/li\u003e\n\u003cli\u003eThe database server executes the combined query, including the injected time-based SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Geo Mashup Time-Based SQL Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sqli/","summary":"The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7489"}],"_cs_exploited":false,"_cs_products":["CTMS"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-7489","web-application"],"_cs_type":"advisory","_cs_vendors":["Sunnet"],"content_html":"\u003cp\u003eA SQL Injection vulnerability, identified as CVE-2026-7489, exists in CTMS developed by Sunnet. This flaw allows authenticated remote attackers to inject arbitrary SQL commands. Successful exploitation could allow the attackers to read, modify, and delete database contents. The vulnerability was published on May 2, 2026. The scope of this vulnerability affects systems running the vulnerable CTMS software, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the CTMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an endpoint vulnerable to SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query designed to exploit the injection point, likely using tools like Burp Suite or SQLMap.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the SQL payload via a crafted HTTP request, targeting vulnerable parameters within the request.\u003c/li\u003e\n\u003cli\u003eThe CTMS application executes the injected SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication or authorization controls to gain elevated privileges within the application or database.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data from the database, such as user credentials or confidential business information.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or deletes database entries, leading to data corruption or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could allow attackers to read sensitive information, modify data, or delete critical database contents. This could lead to a complete compromise of the CTMS application and its underlying database, impacting all users and data managed by the system. The severity is heightened by the potential for attackers to gain complete control over the database, leading to significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade CTMS to a version that addresses CVE-2026-7489 as soon as it becomes available from Sunnet.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts\u0026rdquo; to identify potential exploitation attempts against CTMS (see below).\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious activity indicative of SQL injection attempts, specifically looking for unusual characters or SQL syntax in HTTP request parameters.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in CTMS and other web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T10:16:18Z","date_published":"2026-05-02T10:16:18Z","id":"/briefs/2026-05-sunnet-ctms-sqli/","summary":"Sunnet CTMS is vulnerable to SQL injection (CVE-2026-7489), allowing authenticated remote attackers to execute arbitrary SQL commands and compromise the database.","title":"Sunnet CTMS SQL Injection Vulnerability (CVE-2026-7489)","url":"https://feed.craftedsignal.io/briefs/2026-05-sunnet-ctms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7545"}],"_cs_exploited":false,"_cs_products":["Advanced School Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Advanced School Management System version 1.0 is vulnerable to SQL injection in the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint within the \u003ccode\u003ecommonController.php\u003c/code\u003e file. This vulnerability, identified as CVE-2026-7545, allows a remote attacker to inject arbitrary SQL commands. Publicly available exploits targeting this vulnerability increase the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion within the application\u0026rsquo;s database. Given the availability of public exploits, organizations using this software are at an elevated risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint in \u003ccode\u003ecommonController.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint, injecting SQL code into the email parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly sanitize the email input.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is passed directly to the database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may then read sensitive data, modify existing data, or insert new malicious data.\u003c/li\u003e\n\u003cli\u003eThe attacker might also use this to escalate privileges within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7545) could allow an attacker to read, modify, or delete sensitive data stored in the Advanced School Management System database. This could include student records, financial information, or administrative credentials. The availability of public exploits increases the likelihood of attacks targeting this vulnerability, potentially impacting any organization using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint in \u003ccode\u003ecommonController.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ASMS CheckEmail SQL Injection Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:16:49Z","date_published":"2026-05-01T02:16:49Z","id":"/briefs/2026-05-asms-sqli/","summary":"A SQL injection vulnerability (CVE-2026-7545) exists in SourceCodester Advanced School Management System 1.0 within the checkEmail endpoint of commonController.php, allowing remote attackers to potentially execute arbitrary SQL commands.","title":"SourceCodester Advanced School Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-asms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7435"}],"_cs_exploited":false,"_cs_products":["SSCMS 7.4.0"],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2026-7435","web-application"],"_cs_type":"advisory","_cs_vendors":["siteserver"],"content_html":"\u003cp\u003eSSCMS v7.4.0 is susceptible to a SQL injection vulnerability (CVE-2026-7435) within the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag. The vulnerability arises because the \u003ccode\u003equeryString\u003c/code\u003e attribute is passed directly to database execution without adequate sanitization or parameterization. This flaw enables attackers to inject malicious SQL code by crafting encrypted payloads and submitting them to the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint. Successful exploitation can lead to unauthorized access to the database, disclosure of sensitive information, authentication bypass, modification of data, or even complete compromise of the database. This vulnerability poses a significant risk to organizations using the affected SSCMS version, potentially leading to severe data breaches and system disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an SSCMS v7.4.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload, specifically targeting the \u003ccode\u003equeryString\u003c/code\u003e attribute within the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts the crafted SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the encrypted payload to the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint using an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe SSCMS application receives the request and processes the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the database, potentially extracting sensitive data or modifying existing records.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges or move laterally within the compromised system, depending on the level of access gained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to severe consequences. An attacker could gain complete control over the SSCMS database, potentially exposing sensitive user data, confidential business information, or proprietary intellectual property. Data breaches resulting from this vulnerability could lead to significant financial losses, reputational damage, and legal liabilities. The lack of specifics about victim count or sectors targeted makes quantification difficult, but the potential impact is high for any organization using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for SSCMS v7.4.0 to address the SQL injection vulnerability described in CVE-2026-7435.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks, specifically focusing on the \u003ccode\u003equeryString\u003c/code\u003e attribute of the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SSCMS stl:sqlContent Requests\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:16:34Z","date_published":"2026-04-30T21:16:34Z","id":"/briefs/2026-04-sscms-sqli/","summary":"SSCMS v7.4.0 is vulnerable to SQL injection via the stl:sqlContent tag's queryString attribute, allowing attackers to execute arbitrary SQL statements through crafted payloads submitted to the /api/stl/actions/dynamic endpoint.","title":"SSCMS v7.4.0 SQL Injection Vulnerability in stl:sqlContent Tag","url":"https://feed.craftedsignal.io/briefs/2026-04-sscms-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MISP \u003c 2.5.37"],"_cs_severities":["high"],"_cs_tags":["misp","vulnerability","sqli","privilege-escalation","security-policy-bypass"],"_cs_type":"advisory","_cs_vendors":["MISP"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been discovered in MISP (Malware Information Sharing Platform and Threat Sharing) versions prior to 2.5.37. These flaws could allow a remote attacker to perform a variety of malicious actions, including escalating privileges to gain unauthorized access, injecting SQL code to potentially read or modify database contents, and bypassing existing security policies to execute restricted operations. These vulnerabilities pose a significant risk to organizations using MISP for threat intelligence, potentially leading to data breaches, unauthorized access to sensitive information, or disruption of threat intelligence operations. Users should upgrade to version 2.5.37 or later as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable MISP instance running a version prior to 2.5.37.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload designed to exploit a SQLi vulnerability within the MISP application, potentially targeting input fields or API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SQL injection payload to the vulnerable MISP instance through a web request or API call.\u003c/li\u003e\n\u003cli\u003eThe MISP application improperly processes the malicious SQL payload, leading to the execution of attacker-controlled SQL commands against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a privilege escalation vulnerability to gain elevated privileges within the MISP application, potentially bypassing access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the security policy bypass vulnerability to circumvent security restrictions and execute unauthorized actions within the MISP system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored within the MISP instance, such as threat intelligence reports, indicators of compromise (IOCs), or user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data or uses the compromised system to launch further attacks against other systems or organizations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive threat intelligence data stored within MISP, potentially impacting organizations relying on MISP for security operations. An attacker could steal sensitive data, modify existing intelligence, or inject false information, impacting trust in the platform. While the number of victims is not specified in the report, any organization using a vulnerable version of MISP is at risk. The severity of impact would depend on the sensitivity of the data stored within the compromised MISP instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MISP to version 2.5.37 or later to remediate the vulnerabilities as per the vendor\u0026rsquo;s security bulletin.\u003c/li\u003e\n\u003cli\u003eDeploy web application firewall (WAF) rules to detect and block SQL injection attempts targeting MISP, mitigating potential SQLi exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor MISP logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious activity, such as unexpected SQL errors or unauthorized access attempts, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-misp-vulns/","summary":"Multiple vulnerabilities in MISP versions prior to 2.5.37 allow attackers to perform privilege escalation, SQL injection (SQLi), and security policy bypass.","title":"Multiple Vulnerabilities in MISP Threat Intelligence Platform","url":"https://feed.craftedsignal.io/briefs/2026-04-misp-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ProFTPD"],"_cs_severities":["high"],"_cs_tags":["sqli","proftpd","linux"],"_cs_type":"advisory","_cs_vendors":["ProFTPD"],"content_html":"\u003cp\u003eA vulnerability in ProFTPD allows for SQL injection attacks by remote, unauthenticated attackers. The specific flaw and version number are not mentioned in the source, but the generic report indicates a potentially widespread issue affecting publicly accessible ProFTPD servers. Successful exploitation could lead to unauthorized data access, modification, or potentially complete system compromise depending on the database permissions configured for ProFTPD. Defenders should apply all available security patches for ProFTPD.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a ProFTPD server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL injection payload.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted SQL injection payload through a ProFTPD command or parameter.\u003c/li\u003e\n\u003cli\u003eProFTPD processes the malicious payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe payload is passed to the underlying database server.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL command.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data or modifies database records.\u003c/li\u003e\n\u003cli\u003eAttacker may use the gained access to further compromise the server or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability in ProFTPD allows unauthorized access to the underlying database. This can lead to the disclosure of sensitive information, modification of data, or even complete database compromise. The number of victims and sectors targeted are currently unknown, but public-facing ProFTPD servers are at risk. A successful attack could lead to significant data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches for ProFTPD as soon as they are available to remediate SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor ProFTPD logs for suspicious activity and SQL injection attempts (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in ProFTPD configurations.\u003c/li\u003e\n\u003cli\u003eReview database access permissions for the ProFTPD user to minimize the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T09:54:05Z","date_published":"2026-04-29T09:54:05Z","id":"/briefs/2024-01-proftpd-sqli/","summary":"An anonymous remote attacker can exploit a SQL injection vulnerability in ProFTPD.","title":"ProFTPD SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-proftpd-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7130"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-7130"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides within the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint, where a manipulation of the \u003ccode\u003eID\u003c/code\u003e argument can lead to arbitrary SQL command execution. This allows remote attackers to potentially bypass authentication, access sensitive data, modify database contents, or even compromise the entire system. Given the availability of a published exploit, this vulnerability poses a significant risk to organizations utilizing the affected software. Successful exploitation requires no authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of SourceCodester Pharmacy Sales and Inventory System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eID\u003c/code\u003e parameter of the request.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL code to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eDepending on the injected SQL, the attacker can read sensitive data from the database (e.g., user credentials, financial records).\u003c/li\u003e\n\u003cli\u003eThe attacker could also modify data, such as altering inventory levels or creating unauthorized accounts.\u003c/li\u003e\n\u003cli\u003eUltimately, the attacker could gain full control of the database and the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive patient data, financial records, and other confidential information stored within the Pharmacy Sales and Inventory System database. Attackers could potentially modify data, leading to incorrect inventory levels, fraudulent transactions, or even complete system compromise. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. Given that the exploit is public, organizations using this software are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter within the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint to prevent SQL injection (reference CVE-2026-7130).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious requests to the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint containing potential SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eImplement regular security audits and penetration testing to identify and remediate vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eRestrict database access privileges to the minimum necessary for each user and application to limit the potential impact of a successful SQL injection attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-pharmacy-sqli/","summary":"A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID parameter in the /ajax.php?action=delete_category endpoint, potentially leading to unauthorized data access or modification.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pharmacy-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7088"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-7088"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Pharmacy Sales and Inventory System version 1.0 is susceptible to SQL injection. The vulnerability resides in the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e file, where manipulation of the \u003ccode\u003eID\u003c/code\u003e argument can lead to arbitrary SQL command execution. This vulnerability allows remote attackers to compromise the application\u0026rsquo;s database. The exploit is publicly available, increasing the risk of exploitation. This vulnerability allows attackers to read, modify, or delete sensitive data, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System version 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003eID\u003c/code\u003e parameter of the request.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the injected SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL query, potentially returning sensitive data to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to bypass authentication, allowing them to access administrative functions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to modify inventory data, manipulate sales records, or create fraudulent transactions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to exfiltrate sensitive data such as customer information, financial records, and administrator credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data, modification of inventory and sales records, and potentially full control of the application and underlying server. This could result in financial loss, reputational damage, and legal repercussions for affected organizations. Given the public availability of the exploit, the risk of widespread exploitation is high. The impact could include data breaches, financial fraud, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting SQL Injection Attempts via URI\u003c/code\u003e to identify malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter in the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e file to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as error messages or unusual requests targeting the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e endpoint (webserver log source).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of the application or implement a web application firewall (WAF) rule to block malicious requests.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles for database access to limit the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T06:16:03Z","date_published":"2026-04-27T06:16:03Z","id":"/briefs/2026-04-pharmacy-sales-sqli/","summary":"SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection by manipulating the ID argument in the /ajax.php?action=save_receiving file, allowing remote attackers to execute arbitrary SQL commands.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pharmacy-sales-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7063"}],"_cs_exploited":false,"_cs_products":["Employee Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-7063","web-application"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-7063, has been discovered in code-projects Employee Management System version 1.0. The vulnerability resides within the \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e file, specifically affecting the \u003ccode\u003epwd\u003c/code\u003e argument. Successful exploitation allows a remote attacker to inject and execute arbitrary SQL commands against the application\u0026rsquo;s database. Given that the exploit is publicly available, organizations using this system are at immediate risk of unauthorized data access, modification, or deletion. The affected component is the endpoint processing user input, making it a critical point of failure if not properly secured. This vulnerability poses a significant threat due to its ease of exploitation and potential for widespread data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of code-projects Employee Management System 1.0 accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003epwd\u003c/code\u003e parameter, injecting SQL code within the parameter\u0026rsquo;s value.\u003c/li\u003e\n\u003cli\u003eThe server-side code improperly sanitizes or validates the injected SQL code within the \u003ccode\u003epwd\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication or gains elevated privileges through the successful SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database, leading to data corruption or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7063) can lead to complete compromise of the affected Employee Management System. An attacker can gain unauthorized access to sensitive employee data, including personal information, salaries, and performance reviews. The attacker could modify or delete critical data, disrupt business operations, or use the compromised system as a launchpad for further attacks within the organization\u0026rsquo;s network. Given the public availability of the exploit, organizations failing to address this vulnerability are at a high risk of experiencing a data breach and associated financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e containing SQL syntax in the \u003ccode\u003epwd\u003c/code\u003e parameter to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts targeting the vulnerable \u003ccode\u003epwd\u003c/code\u003e parameter in the \u003ccode\u003eeprocess.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003epwd\u003c/code\u003e parameter in \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e to prevent SQL injection, addressing CVE-2026-7063.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T23:16:21Z","date_published":"2026-04-26T23:16:21Z","id":"/briefs/2026-04-ems-sqli/","summary":"CVE-2026-7063 is a SQL Injection vulnerability in code-projects Employee Management System 1.0 via the 'pwd' parameter in /370project/process/eprocess.php, enabling remote attackers to execute arbitrary SQL commands.","title":"code-projects Employee Management System SQL Injection Vulnerability (CVE-2026-7063)","url":"https://feed.craftedsignal.io/briefs/2026-04-ems-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","sqli","xss","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in n8n, a workflow automation tool. An attacker exploiting these vulnerabilities could achieve a range of malicious outcomes, including remote code execution, security bypass, information disclosure, SQL injection, denial-of-service, cross-site scripting (XSS), malicious redirection, and session hijacking. The vulnerabilities stem from insufficient input validation, insecure configurations, or design flaws within the n8n application. Successful exploitation can lead to complete compromise of the n8n instance and potentially the underlying system, depending on the permissions of the n8n process. This poses a significant risk to organizations relying on n8n for critical business processes. Defenders need to implement robust security measures to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad range of potential vulnerabilities, a generalized attack chain is outlined below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (SQL Injection):\u003c/strong\u003e The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (XSS):\u003c/strong\u003e The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, depending on the attacker\u0026rsquo;s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see \u0026ldquo;Descriptive Detection Rule Name\u0026rdquo; in the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.\u003c/li\u003e\n\u003cli\u003eEnforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.\u003c/li\u003e\n\u003cli\u003eApply the principle of least privilege to limit the permissions of the n8n process and users.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.\u003c/li\u003e\n\u003cli\u003eRegularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:23:56Z","date_published":"2026-04-23T10:23:56Z","id":"/briefs/2026-04-n8n-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.","title":"Multiple Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","dagster","injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in Dagster\u0026rsquo;s I/O managers for DuckDB, Snowflake, BigQuery, and DeltaLake. The vulnerability stems from the construction of SQL WHERE clauses where dynamic partition key values are interpolated into queries without proper escaping. This allows an attacker with the \u003ccode\u003eAdd Dynamic Partitions\u003c/code\u003e permission to inject arbitrary SQL code. The injected SQL would then execute against the target database backend using the I/O manager\u0026rsquo;s credentials. This issue affects Dagster OSS versions up to 1.13.0, and dagster-* package versions up to 0.29.0. This vulnerability is most relevant when the \u003ccode\u003eAdd Dynamic Partitions\u003c/code\u003e permission is granted independently of broader database access, such as in multi-tenant or custom RBAC configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Dagster API with the \u003ccode\u003eAdd Dynamic Partitions\u003c/code\u003e permission. This could be through compromised credentials or a misconfigured RBAC setup.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious dynamic partition key containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Dagster API to create a new dynamic partition or modify an existing one, injecting the malicious key.\u003c/li\u003e\n\u003cli\u003eA Dagster pipeline or asset execution is triggered that utilizes the dynamic partitions functionality and the vulnerable I/O manager.\u003c/li\u003e\n\u003cli\u003eWhen the I/O manager constructs the SQL query, the malicious partition key is interpolated without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the target database (DuckDB, Snowflake, BigQuery, or DeltaLake) using the I/O manager\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker can read sensitive data, modify existing data, or potentially escalate privileges within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as exfiltrating data or compromising the database\u0026rsquo;s integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to unauthorized access and modification of data within the affected databases. The impact is particularly high in deployments where the \u003ccode\u003eAdd Dynamic Partitions\u003c/code\u003e permission is granted to users without broader database access. This vulnerability could allow attackers to bypass intended access controls and potentially gain full control of the database, leading to data breaches, data corruption, or denial of service. The number of affected deployments is currently unknown, but organizations using Dagster with dynamic partitions should assess their exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all \u003ccode\u003edagster-*\u003c/code\u003e packages (dagster-duckdb, dagster-snowflake, dagster-gcp, dagster-deltalake, dagster-snowflake-polars) to versions greater than 0.29.0 and \u003ccode\u003edagster\u003c/code\u003e package to versions greater than 1.13.0 as outlined in the advisory to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions within Dagster, specifically focusing on who has the \u003ccode\u003eAdd Dynamic Partitions\u003c/code\u003e permission, and restrict access to only trusted users to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor Dagster logs for suspicious API requests related to the creation or modification of dynamic partitions to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement database auditing to track SQL queries executed by the I/O manager and identify potential SQL injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:07:59Z","date_published":"2026-04-18T01:07:59Z","id":"/briefs/2024-01-02-dagster-sqli/","summary":"A SQL injection vulnerability exists in Dagster's DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers, where a user with 'Add Dynamic Partitions' permission can inject arbitrary SQL due to improper escaping of dynamic partition key values, leading to unauthorized data access or modification.","title":"Dagster SQL Injection Vulnerability in Dynamic Partition Keys","url":"https://feed.craftedsignal.io/briefs/2024-01-02-dagster-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5785"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5785","sqli","manageengine","pam360","passwordmanagerpro"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZohocorp ManageEngine PAM360 and Password Manager Pro are affected by an authenticated SQL injection vulnerability within the query report module. This vulnerability, identified as CVE-2026-5785, impacts PAM360 versions prior to 8531 and Password Manager Pro versions ranging from 8600 to 13230. An attacker with valid, albeit low-privileged, credentials can exploit this flaw by injecting malicious SQL queries through the affected module. Successful exploitation could lead to unauthorized data access, modification, or even complete database compromise. Defenders must apply the necessary patches to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid, low-privileged credentials to ManageEngine PAM360 or Password Manager Pro application.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the ManageEngine application with the obtained credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u0026ldquo;query report\u0026rdquo; module within the application\u0026rsquo;s interface.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query containing SQL injection payloads within report generation parameters.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted SQL query without proper sanitization, executing the injected SQL commands.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL query, leading to unintended data retrieval (exfiltration) or modification.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive information like usernames, passwords, or configuration details from the database.\u003c/li\u003e\n\u003cli\u003eAttacker may further exploit the SQL injection to modify database records, escalate privileges, or compromise other application functionalities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5785 can result in significant data breaches and compromise of sensitive assets managed by ManageEngine PAM360 and Password Manager Pro. An attacker could potentially gain unauthorized access to credentials, configuration settings, and other critical information stored within the database. The impact can range from data theft and service disruption to complete system compromise, potentially affecting hundreds of organizations relying on these products for privileged access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ManageEngine PAM360 to version 8531 or later to patch CVE-2026-5785.\u003c/li\u003e\n\u003cli\u003eImmediately upgrade ManageEngine Password Manager Pro to a version later than 13230, or a version earlier than 8600.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SQL syntax or unusual database query patterns related to the query report module using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the ManageEngine application to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eEnable database auditing to detect and investigate any unauthorized database access or modification attempts stemming from CVE-2026-5785.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-manageengine-sqli/","summary":"An authenticated SQL injection vulnerability (CVE-2026-5785) in the query report module of Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 allows attackers with low privileges to potentially read or modify sensitive database information.","title":"ManageEngine PAM360 and Password Manager Pro Authenticated SQL Injection Vulnerability (CVE-2026-5785)","url":"https://feed.craftedsignal.io/briefs/2026-04-manageengine-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3599"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin, a WordPress plugin, is susceptible to SQL Injection attacks. This vulnerability resides within the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint, specifically through the \u0026lsquo;options\u0026rsquo; parameter keys nested within the \u0026lsquo;product_data\u0026rsquo;. All versions of the plugin up to and including 2.1.2 are affected. Due to insufficient input sanitization and inadequate preparation of SQL queries, unauthenticated attackers can inject malicious SQL code. Successful exploitation enables attackers to execute arbitrary SQL queries, potentially leading to sensitive data extraction. This poses a significant risk to WordPress sites utilizing the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored in the database. Defenders should prioritize patching or removing the plugin to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.1.2) of the Riaxe Product Customizer plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u0026lsquo;product_data\u0026rsquo; parameter containing a manipulated \u0026lsquo;options\u0026rsquo; array.\u003c/li\u003e\n\u003cli\u003eWithin the \u0026lsquo;options\u0026rsquo; array, the attacker injects SQL code into one or more of the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request without properly sanitizing the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe application constructs a SQL query using the unsanitized input, effectively injecting the malicious code into the query.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials, by using the SQL injection vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-3599) allows unauthenticated attackers to extract sensitive information from the WordPress database. This may include user credentials (usernames, email addresses, and password hashes), customer data, financial information, and other confidential data stored within the database. The impact can range from defacement of the website and data theft, to complete compromise of the WordPress site and its associated server. Due to the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to a potentially large number of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Riaxe Product Customizer plugin to a version higher than 2.1.2 to patch CVE-2026-3599.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts via Riaxe Product Customizer Plugin\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/wp-json/InkXEProductDesignerLite/add-item-to-cart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:17Z","date_published":"2026-04-16T06:16:17Z","id":"/briefs/2024-01-wordpress-sqli/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.","title":"Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-65135"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2025-65135","school-management-system","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical time-based blind SQL injection vulnerability, identified as CVE-2025-65135, affects version 1.0 of the manikandan580 School-management-system. This vulnerability resides in the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e script and is exploitable through the \u003ccode\u003efromdate\u003c/code\u003e POST parameter. Given the nature of the vulnerability, attackers can potentially bypass authentication and execute arbitrary SQL queries on the back-end database. Successful exploitation could lead to unauthorized access to sensitive student data, administrative credentials, and other confidential information managed by the school system. This vulnerability poses a significant risk to educational institutions utilizing the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a manipulated \u003ccode\u003efromdate\u003c/code\u003e parameter containing a time-based blind SQL injection payload (e.g., \u003ccode\u003efromdate=1' AND SLEEP(5) -- -\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the crafted SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload executes a \u003ccode\u003eSLEEP()\u003c/code\u003e function or equivalent based on database type, causing a delay in the server\u0026rsquo;s response if the injected condition is true.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the server response time to infer the results of the injected SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the blind SQL injection technique to extract sensitive data from the database, such as usernames, passwords, and student records, character by character.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to gain unauthorized administrative access to the School-management-system, leading to potential data breaches and system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-65135 could result in a complete compromise of the manikandan580 School-management-system. Attackers could gain access to personally identifiable information (PII) of students, financial records, and other sensitive data. This data could be used for identity theft, financial fraud, or extortion. The vulnerable system could also be used as a launchpad for further attacks against other systems within the network. Due to the potential for widespread data breaches, this vulnerability represents a critical risk for schools and educational institutions using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates released by manikandan580 to address CVE-2025-65135.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks on the \u003ccode\u003efromdate\u003c/code\u003e POST parameter in \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-school-management-sqli/","summary":"A time-based blind SQL injection vulnerability in manikandan580 School-management-system 1.0 allows unauthenticated attackers to potentially execute arbitrary SQL queries and gain unauthorized access to sensitive information.","title":"manikandan580 School-management-system SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-school-management-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-39815"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","fortinet","cve-2026-39815"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-39815 is an SQL injection vulnerability affecting Fortinet FortiDDoS-F versions 7.2.1 and 7.2.2. The vulnerability stems from improper neutralization of special elements used in SQL commands. According to Fortinet, an attacker with low privileges could exploit this vulnerability to execute unauthorized code or commands. While the exact attack vector is not detailed in the provided source material, successful exploitation would allow for arbitrary code execution within the context of the FortiDDoS-F appliance. This is a high-severity vulnerability because it could lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the FortiDDoS-F appliance with valid low-privilege credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query containing special characters designed to exploit the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted SQL query to the vulnerable FortiDDoS-F endpoint. (Attack Vector N/A from source)\u003c/li\u003e\n\u003cli\u003eThe FortiDDoS-F appliance processes the malicious SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the FortiDDoS-F database.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary SQL code, potentially gaining access to sensitive data or the ability to modify system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the injected SQL code to execute operating system commands on the FortiDDoS-F appliance.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and compromises the FortiDDoS-F system, potentially gaining complete control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39815 can lead to unauthorized code execution, sensitive data exposure, and complete system compromise of the Fortinet FortiDDoS-F appliance. While the number of potential victims is not specified, all organizations using Fortinet FortiDDoS-F versions 7.2.1 and 7.2.2 are vulnerable. A successful attack could disrupt network operations, compromise sensitive data, and allow attackers to use the FortiDDoS-F appliance as a pivot point for further attacks within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fortinet FortiDDoS-F installations to a patched version that addresses CVE-2026-39815.\u003c/li\u003e\n\u003cli\u003eMonitor FortiDDoS-F systems for suspicious activity, including unusual SQL queries, leveraging the \u003ccode\u003ewebserver\u003c/code\u003e log source to detect anomalous HTTP requests related to potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious FortiDDoS-F SQL Injection Attempts\u003c/code\u003e to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-fortinet-sqli/","summary":"An SQL injection vulnerability (CVE-2026-39815) in Fortinet FortiDDoS-F versions 7.2.1 through 7.2.2 may allow a low-privilege attacker to execute unauthorized code or commands.","title":"Fortinet FortiDDoS-F SQL Injection Vulnerability (CVE-2026-39815)","url":"https://feed.craftedsignal.io/briefs/2026-04-fortinet-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6193"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-6193","php","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw has been identified in PHPGurukul Daily Expense Tracking System version 1.1. This vulnerability resides in the \u003ccode\u003e/register.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eemail\u003c/code\u003e argument. Successful exploitation enables remote SQL injection, potentially granting attackers unauthorized access to sensitive database information or allowing them to modify data. This vulnerability, identified as CVE-2026-6193, has a CVSS v3.1 score of 7.3, indicating a high level of severity. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of PHPGurukul Daily Expense Tracking System 1.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects SQL code into the \u003ccode\u003eemail\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the initial SQL injection to escalate privileges within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially gain access to administrative credentials stored in the database.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker uses the compromised credentials to gain full control over the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to severe consequences. Attackers could gain unauthorized access to sensitive user data, including usernames, passwords, and financial information. This could result in identity theft, financial fraud, and reputational damage for both the organization and its users. The attacker could also modify or delete data, disrupt the application\u0026rsquo;s functionality, or even gain complete control of the server. Given the availability of a public exploit, the likelihood of attacks is significantly increased.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by PHPGurukul to address CVE-2026-6193.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts in PHPGurukul Registration\u0026rdquo; to identify exploitation attempts targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on the \u003ccode\u003eemail\u003c/code\u003e parameter in \u003ccode\u003e/register.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL syntax in the \u003ccode\u003eemail\u003c/code\u003e parameter, which could indicate an attempted SQL injection (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads targeting \u003ccode\u003e/register.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-php-gurukul-sqli/","summary":"A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.","title":"PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-php-gurukul-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-6182"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in code-projects Simple Content Management System (CMS) version 1.0. The vulnerability resides in the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e file and stems from improper sanitization of user-supplied input within the \u003ccode\u003eUser\u003c/code\u003e argument. An unauthenticated, remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploits exist, increasing the risk of widespread exploitation. Given the simplicity of the targeted software, many small businesses or personal websites could be running vulnerable instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a publicly accessible instance of Simple Content Management System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003eUser\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious payload to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL commands, allowing the attacker to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized administrative access to the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the CMS content or extracts sensitive data from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may install a web shell for persistent access and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers unauthorized access to the Simple Content Management System 1.0. This can lead to sensitive data exfiltration, modification of website content (defacement), or complete takeover of the underlying server. The vulnerable software is likely used by individuals or small businesses, potentially leading to a significant impact on their online presence and data security. Given the public availability of exploits, mass exploitation is a realistic threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/web/admin/login.php\u003c/code\u003e containing suspicious characters or SQL keywords in the \u003ccode\u003eUser\u003c/code\u003e parameter to detect potential exploitation attempts (see rule: \u0026ldquo;Detect SQL Injection Attempts in Simple CMS Login\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual database errors originating from \u003ccode\u003e/web/admin/login.php\u003c/code\u003e, which may indicate successful SQL injection (see rule: \u0026ldquo;Detect Simple CMS SQL Injection Errors\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, particularly within the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e script, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eOrganizations using code-projects Simple Content Management System 1.0 should consider migrating to a more secure platform or applying security patches if available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T15:17:49Z","date_published":"2026-04-13T15:17:49Z","id":"/briefs/2026-04-simple-cms-sqli/","summary":"A remote SQL injection vulnerability exists in code-projects Simple Content Management System 1.0, specifically affecting the /web/admin/login.php file where manipulation of the 'User' argument allows unauthenticated attackers to execute arbitrary SQL queries.","title":"SQL Injection Vulnerability in Simple Content Management System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-cms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6165"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-6165"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6165 identifies an SQL injection vulnerability within the code-projects Vehicle Showroom Management System version 1.0. The vulnerability resides in the \u003ccode\u003e/util/Login_check.php\u003c/code\u003e file and can be exploited by manipulating the \u003ccode\u003eID\u003c/code\u003e argument. Successful exploitation allows attackers to inject malicious SQL queries, potentially gaining unauthorized access to sensitive data, modifying database contents, or even executing arbitrary commands on the underlying server. As a publicly available exploit exists, the risk of exploitation is elevated, making it crucial for organizations using this software to implement mitigation measures. The scope of this vulnerability impacts any deployment of the affected Vehicle Showroom Management System version 1.0 exposed to network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Vehicle Showroom Management System 1.0 instance exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/util/Login_check.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eID\u003c/code\u003e parameter of the HTTP request, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe web application processes the malicious SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify database entries, such as altering prices or inventory.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially leverage the SQL injection to gain code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6165 can lead to a range of severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personally identifiable information (PII) and financial details. Data breaches can result in significant financial losses, reputational damage, and legal liabilities. Furthermore, the ability to modify database contents could lead to manipulated sales figures, altered inventory, or even complete disruption of business operations. The vulnerability\u0026rsquo;s potential for remote code execution poses the highest risk, allowing attackers to establish a persistent foothold within the organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003e/util/Login_check.php\u003c/code\u003e to prevent SQL injection (CVE-2026-6165).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious HTTP requests targeting \u003ccode\u003e/util/Login_check.php\u003c/code\u003e with potential SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) to filter malicious traffic and block known SQL injection patterns.\u003c/li\u003e\n\u003cli\u003eRegularly audit and patch all software components to address known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and potential signs of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T06:17:51Z","date_published":"2026-04-13T06:17:51Z","id":"/briefs/2026-04-vehicle-showroom-sqli/","summary":"A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6165) in code-projects Vehicle Showroom Management System 1.0 by manipulating the ID parameter in /util/Login_check.php, potentially leading to unauthorized data access and modification.","title":"SQL Injection Vulnerability in Vehicle Showroom Management System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-vehicle-showroom-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25710","dolibarr","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDolibarr ERP-CRM is a popular open-source enterprise resource planning and customer relationship management software. Version 8.0.4 of Dolibarr is susceptible to a critical SQL injection vulnerability (CVE-2019-25710) affecting the \u003ccode\u003erowid\u003c/code\u003e parameter in the \u003ccode\u003eadmin dict.php\u003c/code\u003e endpoint. This flaw allows unauthenticated attackers to inject malicious SQL code through the \u003ccode\u003erowid\u003c/code\u003e POST parameter. Successful exploitation enables attackers to execute arbitrary SQL queries against the Dolibarr database, potentially leading to the exposure of sensitive information, modification of data, or complete compromise of the application. This vulnerability can be exploited using error-based SQL injection techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Dolibarr ERP-CRM instance running version 8.0.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003erowid\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and executes the injected SQL code within the database query.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages error-based SQL injection techniques to extract sensitive information from the database, such as user credentials, API keys, or financial data.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the error messages returned by the application to refine the SQL injection payload and bypass any security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially uses the extracted credentials to gain unauthorized access to other parts of the application or the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive data, data breaches, and complete compromise of the Dolibarr ERP-CRM system. The vulnerability allows attackers to extract sensitive database information, modify data, or potentially execute arbitrary code on the server. Given that ERP and CRM systems often contain critical business data, the impact can be significant for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a secure version of Dolibarr ERP-CRM to remediate CVE-2019-25710.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Dolibarr rowid Parameter SQL Injection Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts against the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003eadmin/dict.php\u003c/code\u003e with suspicious characters or SQL keywords in the \u003ccode\u003erowid\u003c/code\u003e parameter to detect potential attacks.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out malicious SQL injection payloads targeting the \u003ccode\u003erowid\u003c/code\u003e parameter in \u003ccode\u003eadmin/dict.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:34Z","date_published":"2026-04-12T13:16:34Z","id":"/briefs/2026-04-dolibarr-sqli/","summary":"Dolibarr ERP-CRM 8.0.4 is vulnerable to SQL injection via the rowid parameter in the admin dict.php endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dolibarr-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2019-25703"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","impresscms","cve-2019-25703"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImpressCMS is an open-source content management system. Version 1.3.11 is vulnerable to a time-based blind SQL injection vulnerability (CVE-2019-25703). An authenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u0026lsquo;bid\u0026rsquo; parameter. Successful exploitation allows the attacker to manipulate database queries, potentially leading to the extraction of sensitive information. This vulnerability requires authentication, limiting the scope of potential attackers, but the impact can be severe if exploited successfully. The vulnerability was reported and disclosed in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the ImpressCMS application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003eadmin.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003ebid\u003c/code\u003e parameter containing SQL injection payload designed to cause a time delay.\u003c/li\u003e\n\u003cli\u003eThe ImpressCMS application processes the POST request without proper sanitization of the \u003ccode\u003ebid\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the underlying database, causing a time-based delay.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time to confirm successful injection.\u003c/li\u003e\n\u003cli\u003eThe attacker refines the SQL injection payload to extract sensitive information from the database using techniques like \u003ccode\u003eSLEEP()\u003c/code\u003e and conditional queries.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive data obtained from the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read sensitive data from the ImpressCMS database. This may include user credentials, configuration details, and other confidential information. While the exploit requires authentication, a successful attack could lead to complete compromise of the application and its data, potentially impacting all users and the integrity of the website. The CVSS v3.1 score of 7.1 reflects the high potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or upgrade to a version of ImpressCMS that addresses CVE-2019-25703 to remediate the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect malicious POST requests containing SQL injection attempts targeting the \u003ccode\u003eadmin.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ebid\u003c/code\u003e parameter within the ImpressCMS application to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003eadmin.php\u003c/code\u003e with unusual parameters, as this can be an indicator of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the \u003ccode\u003eadmin.php\u003c/code\u003e endpoint to only authorized users to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:33Z","date_published":"2026-04-12T13:16:33Z","id":"/briefs/2026-04-impresscms-sqli/","summary":"ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability allowing authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter via POST requests to the admin.php endpoint.","title":"ImpressCMS 1.3.11 Time-Based Blind SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-impresscms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25697"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25697","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCMSsite 1.0 is susceptible to an SQL injection vulnerability (CVE-2019-25697) within the category.php script. This flaw allows unauthenticated, remote attackers to inject arbitrary SQL commands by manipulating the \u003ccode\u003ecat_id\u003c/code\u003e GET parameter. Successful exploitation could lead to the disclosure of sensitive information stored within the database, including user credentials and other application data. Given the ease of exploitation and the potential impact, this vulnerability poses a significant risk to organizations using the affected CMSsite version. The vulnerability was reported to NVD and assigned a CVSS v3.1 score of 8.2, indicating high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CMSsite 1.0 installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting \u003ccode\u003ecategory.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003ecat_id\u003c/code\u003e parameter of the GET request, for example: \u003ccode\u003ecategory.php?cat_id=1' OR '1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the tainted \u003ccode\u003ecat_id\u003c/code\u003e value to the underlying SQL database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the database query, potentially bypassing intended security checks.\u003c/li\u003e\n\u003cli\u003eThe database executes the modified query, returning sensitive data to the web server.\u003c/li\u003e\n\u003cli\u003eThe web server includes the extracted data in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract sensitive information such as usernames, passwords, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows an unauthenticated attacker to read sensitive information from the CMSsite 1.0 database. This can lead to complete compromise of the application, including unauthorized access to user accounts, exposure of confidential data, and potential further attacks on the underlying system. Given the lack of required authentication, any CMSsite 1.0 instance exposed to the internet is a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003ecat_id\u003c/code\u003e parameter in \u003ccode\u003ecategory.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious GET Requests to category.php with SQL Injection Attempts\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eRestrict database access privileges to the minimum necessary for the application to function.\u003c/li\u003e\n\u003cli\u003eConsider upgrading to a more secure CMS solution or applying a patch if one becomes available.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for unusual activity, paying close attention to GET requests targeting \u003ccode\u003ecategory.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements to prevent SQL injection vulnerabilities when interacting with the database.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:32Z","date_published":"2026-04-12T13:16:32Z","id":"/briefs/2026-04-cmssite-sqli/","summary":"CMSsite 1.0 is vulnerable to unauthenticated SQL injection (CVE-2019-25697) via the cat_id parameter in category.php, allowing attackers to extract sensitive database information.","title":"CMSsite 1.0 SQL Injection Vulnerability (CVE-2019-25697)","url":"https://feed.craftedsignal.io/briefs/2026-04-cmssite-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6036"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-6036","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6036 is a SQL injection vulnerability affecting Vehicle Showroom Management System version 1.0. The vulnerability resides within the \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e file, specifically involving the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter. An unauthenticated attacker can remotely exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e argument. This allows for the potential execution of arbitrary SQL commands on the underlying database, potentially leading to data breaches, modification, or complete system compromise. A public exploit exists, increasing the likelihood of exploitation. The vulnerable software is commonly used for managing vehicle inventory and showroom operations, making organizations that rely on this software potential targets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Vehicle Showroom Management System 1.0 instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is directly incorporated into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials, vehicle details, or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to gain unauthorized access to the system or exfiltrates the data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6036 allows an attacker to execute arbitrary SQL queries against the Vehicle Showroom Management System\u0026rsquo;s database. This could lead to the disclosure of sensitive customer information, modification of vehicle inventory data, or even complete compromise of the system. The vulnerability could result in significant financial losses, reputational damage, and legal liabilities for affected organizations. While the number of affected installations is unknown, Vehicle Showroom Management Systems are commonly used by dealerships and automotive businesses, making them attractive targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter in \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SQL Injection Attempts in Vehicle Showroom Management System\u003c/code\u003e to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e with potentially malicious \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T09:16:51Z","date_published":"2026-04-10T09:16:51Z","id":"/briefs/2026-04-vehicleshowroom-sqli/","summary":"A remote SQL injection vulnerability (CVE-2026-6036) exists in the Vehicle Showroom Management System 1.0 due to improper sanitization of the VEHICLE_ID parameter in /util/VehicleDetailsFunction.php, potentially allowing attackers to execute arbitrary SQL commands.","title":"SQL Injection Vulnerability in Vehicle Showroom Management System 1.0 (CVE-2026-6036)","url":"https://feed.craftedsignal.io/briefs/2026-04-vehicleshowroom-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5827"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-5827, affects code-projects Simple IT Discussion Forum version 1.0. The vulnerability resides in the \u003ccode\u003e/question-function.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003econtent\u003c/code\u003e argument. Successful exploitation allows a remote attacker to inject arbitrary SQL commands, potentially leading to data exfiltration, modification, or complete system compromise. This vulnerability is considered high risk due to its ease of exploitation and the sensitive nature of data often stored in forum databases. The exploit is publicly available, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing mitigations to prevent potential attacks against vulnerable Simple IT Discussion Forum instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/question-function.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003econtent\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe attacker can extract sensitive data, such as user credentials or forum content.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify data within the database, altering forum posts or user profiles.\u003c/li\u003e\n\u003cli\u003eIn a worst-case scenario, the attacker gains complete control of the database server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive data, including user credentials, private messages, and other confidential information stored within the Simple IT Discussion Forum database. This can lead to identity theft, financial fraud, and reputational damage. Furthermore, attackers can modify or delete data, disrupt forum operations, or even gain complete control of the underlying server. Given the public availability of the exploit, unpatched instances are at significant risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for code-projects Simple IT Discussion Forum 1.0 to address CVE-2026-5827.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003e/question-function.php\u003c/code\u003e file to prevent SQL injection attacks, specifically targeting the \u003ccode\u003econtent\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block SQL injection attempts against \u003ccode\u003e/question-function.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the \u003ccode\u003econtent\u003c/code\u003e parameter of requests to \u003ccode\u003e/question-function.php\u003c/code\u003e. Enable webserver logging to activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect SQL injection attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T01:16:50Z","date_published":"2026-04-09T01:16:50Z","id":"/briefs/2026-04-simple-it-forum-sqli/","summary":"CVE-2026-5827 is a SQL injection vulnerability in code-projects Simple IT Discussion Forum 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'content' argument in /question-function.php.","title":"Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5827)","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-it-forum-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3396"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["woocommerce","sqli","cve-2026-3396","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the \u003ccode\u003epost-author\u003c/code\u003e parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003epost-author\u003c/code\u003e parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WooCommerce website using a vulnerable version (\u0026lt;=4.2.3) of the WCAPF plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u003ccode\u003epost-author\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payload within the \u003ccode\u003epost-author\u003c/code\u003e parameter, designed to extract data using time-based techniques. For example, the attacker might use a \u003ccode\u003eSLEEP()\u003c/code\u003e function to introduce delays based on conditional database queries.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the unsanitized \u003ccode\u003epost-author\u003c/code\u003e parameter to the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the original query, causing the database to execute the attacker\u0026rsquo;s malicious commands.\u003c/li\u003e\n\u003cli\u003eBased on the response time (due to the \u003ccode\u003eSLEEP()\u003c/code\u003e function), the attacker infers whether their injected SQL query was successful in retrieving specific data.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website\u0026rsquo;s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WooCommerce SQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs (references: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003epost-author\u003c/code\u003e parameter to prevent SQL injection attacks (references: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:16:21Z","date_published":"2026-04-08T12:16:21Z","id":"/briefs/2026-04-woocommerce-sqli/","summary":"The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.","title":"WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5665"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-5665","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in code-projects Online FIR System version 1.0. The vulnerability resides within the \u003ccode\u003e/Login/checklogin.php\u003c/code\u003e file, specifically affecting the login component. An attacker can remotely exploit this vulnerability by manipulating the \u003ccode\u003eemail\u003c/code\u003e or \u003ccode\u003epassword\u003c/code\u003e parameters within a request. The vulnerability has been assigned CVE-2026-5665 and given a CVSS v3.1 score of 7.3, indicating a high severity. Public exploits exist, meaning defenders should prioritize detection and mitigation measures. This vulnerability poses a significant risk to organizations using the affected software, as successful exploitation could lead to data breaches, account takeover, or other unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of code-projects Online FIR System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/Login/checklogin.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes SQL injection payloads within the \u003ccode\u003eemail\u003c/code\u003e or \u003ccode\u003epassword\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious payload to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe attacker may extract sensitive information such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker could use the extracted credentials to gain unauthorized access to user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker could escalate privileges within the system, potentially gaining full control of the application and underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. An attacker could gain unauthorized access to sensitive data, including user credentials, personal information, and financial records. This can lead to identity theft, financial loss, and reputational damage. The number of potential victims depends on the number of installations of the vulnerable Online FIR System. The targeted sectors are unknown, but any organization using this system is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to \u003ccode\u003e/Login/checklogin.php\u003c/code\u003e containing SQL injection attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eemail\u003c/code\u003e and \u003ccode\u003epassword\u003c/code\u003e parameters in \u003ccode\u003e/Login/checklogin.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to or from the known malicious URLs listed in the IOC table.\u003c/li\u003e\n\u003cli\u003eConsider implementing a web application firewall (WAF) rule to block known SQL injection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:41Z","date_published":"2026-04-06T16:16:41Z","id":"/briefs/2026-04-online-fir-sqli/","summary":"A SQL injection vulnerability in code-projects Online FIR System 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the email or password parameters in the /Login/checklogin.php file.","title":"code-projects Online FIR System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-online-fir-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-29047"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["glpi","sqli","cve-2026-29047"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a free asset and IT management software package.  CVE-2026-29047 affects GLPI versions 10.0.0 up to, but not including, 10.0.24, as well as version 11.0.6. An authenticated user can exploit a SQL injection vulnerability present in the logs export feature. Successful exploitation could allow an attacker to read sensitive data, modify database content, or even execute arbitrary commands on the underlying database server.  Organizations using vulnerable versions of GLPI should upgrade to versions 10.0.24 or 11.0.6 as soon as possible to mitigate the risk. This vulnerability highlights the importance of keeping software up to date with the latest security patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid user credentials to a GLPI instance (versions 10.0.0 to 10.0.23 or 11.0.0 to 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GLPI web interface using the acquired credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;logs export\u0026rdquo; feature within the GLPI interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query and injects it into a parameter that is used when exporting the logs. This parameter is not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe GLPI application processes the crafted SQL query without proper sanitization, leading to SQL injection.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query is executed against the GLPI database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database or modifies existing data.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates the attack, potentially gaining control of the underlying database server depending on database privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29047 can lead to unauthorized access to sensitive information stored in the GLPI database, such as user credentials, asset information, and IT configuration details. An attacker could modify or delete critical data, disrupt IT operations, and potentially gain control over the entire GLPI system. This could impact all organizations utilizing the vulnerable GLPI version, potentially leading to data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GLPI to version 10.0.24 or 11.0.6 to patch CVE-2026-29047 (references: advisory in Overview).\u003c/li\u003e\n\u003cli\u003eImplement database activity monitoring to detect and alert on suspicious SQL queries (references: Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eReview user access controls and enforce the principle of least privilege to limit the impact of compromised accounts (references: Attack Chain step 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect potential exploitation attempts targeting the logs export feature (references: rules section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-sqli/","summary":"GLPI versions 10.0.0 before 10.0.24 and 11.0.6 are vulnerable to SQL Injection (CVE-2026-29047) via the logs export feature, allowing authenticated users to potentially execute arbitrary SQL commands.","title":"GLPI SQL Injection Vulnerability (CVE-2026-29047)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5634"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-5634"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA publicly disclosed SQL injection vulnerability affects projectworlds Car Rental Project version 1.0. This vulnerability, identified as CVE-2026-5634, resides in the \u003ccode\u003e/book_car.php\u003c/code\u003e file, specifically within the parameter handler. An attacker can remotely manipulate the \u003ccode\u003efname\u003c/code\u003e argument to inject arbitrary SQL commands. Given the availability of exploit code, the risk of exploitation is elevated. Successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire application and its data. Defenders need to focus on detecting and preventing malicious requests targeting the vulnerable endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable \u003ccode\u003e/book_car.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request to \u003ccode\u003e/book_car.php\u003c/code\u003e, injecting SQL code into the \u003ccode\u003efname\u003c/code\u003e parameter. For example, \u003ccode\u003efname=value' OR '1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the tainted \u003ccode\u003efname\u003c/code\u003e parameter to the application\u0026rsquo;s SQL query.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper input sanitization, the injected SQL code is executed by the database server.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the SQL injection vulnerability to bypass authentication, extract sensitive data (e.g., user credentials, car availability), or modify data (e.g., alter booking information, escalate privileges).\u003c/li\u003e\n\u003cli\u003eThe database server returns the results of the injected SQL query to the application.\u003c/li\u003e\n\u003cli\u003eThe application displays the results to the attacker, or uses them internally to further the attack.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application\u0026rsquo;s data and functionality, potentially leading to complete compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5634 can lead to significant data breaches, data manipulation, and service disruption. An attacker could potentially gain access to sensitive customer data, including personal information and booking details. This can result in financial losses, reputational damage, and legal liabilities for the affected organization. The number of potential victims is dependent on the user base of the affected Car Rental Project 1.0 installation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious requests containing SQL syntax within the \u003ccode\u003efname\u003c/code\u003e parameter targeting \u003ccode\u003e/book_car.php\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit the SQL injection vulnerability by monitoring web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003efname\u003c/code\u003e parameter in \u003ccode\u003e/book_car.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Car Rental Project that addresses CVE-2026-5634, if available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T12:00:00Z","date_published":"2026-04-06T12:00:00Z","id":"/briefs/2026-04-car-rental-sqli/","summary":"A remote SQL injection vulnerability (CVE-2026-5634) exists in projectworlds Car Rental Project 1.0 via the fname parameter in /book_car.php, allowing unauthenticated attackers to potentially read, modify, or delete database information.","title":"SQL Injection Vulnerability in Car Rental Project 1.0 (CVE-2026-5634)","url":"https://feed.craftedsignal.io/briefs/2026-04-car-rental-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25692"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25692","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKados R10 GreenBee is susceptible to an SQL injection vulnerability (CVE-2019-25692) affecting the \u0026lsquo;id_to_modify\u0026rsquo; parameter. An attacker can inject malicious SQL code into this parameter through crafted HTTP requests. Successful exploitation allows the attacker to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. This vulnerability poses a significant risk to organizations using Kados R10 GreenBee, as it could compromise the confidentiality, integrity, and availability of their data. The vulnerability was reported in 2026. The scope of targeting is any system running a vulnerable version of Kados R10 GreenBee.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an endpoint in the Kados R10 GreenBee application that utilizes the \u0026lsquo;id_to_modify\u0026rsquo; parameter in a database query.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing SQL injection payloads within the \u0026lsquo;id_to_modify\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the vulnerable Kados R10 GreenBee endpoint.\u003c/li\u003e\n\u003cli\u003eThe Kados R10 GreenBee application fails to properly sanitize the \u0026lsquo;id_to_modify\u0026rsquo; parameter before incorporating it into a database query.\u003c/li\u003e\n\u003cli\u003eThe database server executes the malicious SQL code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive database information via SELECT queries (e.g., usernames, passwords, personal data).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies database records using INSERT, UPDATE, or DELETE queries, causing data corruption or unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the database or gain access to the underlying operating system depending on the database configuration and permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to a range of damaging consequences. An attacker could potentially access sensitive customer data, financial records, or proprietary information. They could also modify or delete data, leading to data corruption, service disruption, or financial loss. The number of affected systems and the potential damage depend on the deployment and data stored within the vulnerable Kados R10 GreenBee instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious requests targeting Kados R10 GreenBee endpoints that use the \u003ccode\u003eid_to_modify\u003c/code\u003e parameter, looking for SQL syntax such as \u003ccode\u003eUNION\u003c/code\u003e, \u003ccode\u003eSELECT\u003c/code\u003e, \u003ccode\u003eUPDATE\u003c/code\u003e, or \u003ccode\u003eDELETE\u003c/code\u003e (see \u0026ldquo;Detect Suspicious SQL Injection Attempt\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect SQL Injection via HTTP Request\u0026rdquo; Sigma rule to monitor for potential SQL injection attempts based on common SQL injection payloads in HTTP requests.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for all user-supplied data, especially the \u0026lsquo;id_to_modify\u0026rsquo; parameter, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eUpgrade Kados R10 GreenBee to a patched version that addresses CVE-2019-25692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:47Z","date_published":"2026-04-05T21:16:47Z","id":"/briefs/2026-04-kados-sqli/","summary":"Kados R10 GreenBee is vulnerable to SQL injection via the 'id_to_modify' parameter, enabling attackers to manipulate database queries and potentially extract or modify sensitive data.","title":"Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25692)","url":"https://feed.craftedsignal.io/briefs/2026-04-kados-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25684"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","opendocman"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenDocMan 1.3.4 is susceptible to SQL injection attacks due to insufficient input validation. An unauthenticated attacker can inject malicious SQL code into the \u0026lsquo;where\u0026rsquo; parameter of the \u003ccode\u003esearch.php\u003c/code\u003e endpoint. This vulnerability allows attackers to bypass normal query restrictions, potentially leading to the extraction of sensitive data from the database. The vulnerability was published on 2026-04-05 and assigned CVE-2019-25684. Successful exploitation grants attackers unauthorized access to database contents without requiring authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OpenDocMan 1.3.4 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/search.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003ewhere\u003c/code\u003e parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe web server passes the crafted SQL query to the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially returning sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the database response containing the extracted information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the extracted data for sensitive information such as usernames, passwords, or confidential documents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the complete compromise of the OpenDocMan database. An attacker can access sensitive information, including user credentials and confidential documents, potentially impacting all users of the affected OpenDocMan instance. There are no specific details about victim counts or targeted sectors available, but the impact could be widespread, depending on the deployment of OpenDocMan.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ewhere\u003c/code\u003e parameter in \u003ccode\u003esearch.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to exploit CVE-2019-25684 by monitoring for suspicious SQL syntax in the \u0026lsquo;where\u0026rsquo; parameter within web server logs.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of OpenDocMan that addresses this vulnerability when available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity targeting the \u003ccode\u003esearch.php\u003c/code\u003e endpoint, as indicated in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:46Z","date_published":"2026-04-05T21:16:46Z","id":"/briefs/2026-04-opendocman-sqli/","summary":"OpenDocMan version 1.3.4 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries via the 'where' parameter in search.php to extract sensitive information.","title":"OpenDocMan 1.3.4 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-opendocman-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25680"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","vulnerability","webapp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAdvance Gift Shop Pro Script 2.0.3 is susceptible to SQL injection attacks due to insufficient input sanitization on the \u0026rsquo;s\u0026rsquo; parameter, which is used in search requests. This vulnerability, identified as CVE-2019-25680, enables unauthenticated remote attackers to inject malicious SQL code directly into the search query, potentially leading to full database compromise. Successful exploitation allows attackers to bypass authentication, retrieve sensitive data (such as usernames, passwords, or customer data), modify database content, or even execute arbitrary commands on the underlying server. This vulnerability poses a significant risk to e-commerce platforms utilizing this software, as it could result in data breaches, financial losses, and reputational damage. Defenders should prioritize patching or mitigating this vulnerability immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an Advance Gift Shop Pro Script 2.0.3 installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload, designed to exploit the \u0026rsquo;s\u0026rsquo; parameter in a search query.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted HTTP GET request to the target server, including the SQL injection payload in the \u0026rsquo;s\u0026rsquo; parameter (e.g., \u003ccode\u003e/?s=';SELECT version();--\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web application fails to properly sanitize the input, passing the malicious payload directly to the SQL database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL query, returning the results to the attacker. This could include database version information or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker refines the SQL injection payload to extract more sensitive data, such as user credentials or financial information, using techniques like UNION-based injection or time-based blind injection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain administrative access to the application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages administrative access to further compromise the system, potentially installing a web shell, exfiltrating sensitive data, or performing other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2019-25680) in Advance Gift Shop Pro Script 2.0.3 can have severe consequences. Attackers can potentially access and exfiltrate sensitive customer data, including personally identifiable information (PII), financial records, and login credentials. Modification or deletion of data can lead to business disruption and financial losses. In severe cases, attackers could gain complete control over the web server, leading to further compromise of the entire infrastructure. The impact depends on the sensitivity of the data stored in the database and the extent of the attacker\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for Advance Gift Shop Pro Script 2.0.3 to address CVE-2019-25680.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization techniques to prevent SQL injection attacks. Focus on sanitizing the \u0026rsquo;s\u0026rsquo; parameter in search requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempt via URI\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests containing SQL injection payloads, based on the vulnerability (CVE-2019-25680).\u003c/li\u003e\n\u003cli\u003eRegularly monitor web server logs for suspicious activity, such as unusual database queries or error messages, as identified by the Sigma rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:46Z","date_published":"2026-04-05T21:16:46Z","id":"/briefs/2026-04-advance-giftshop-sqli/","summary":"Advance Gift Shop Pro Script 2.0.3 is vulnerable to SQL injection via the 's' search parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"Advance Gift Shop Pro Script 2.0.3 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-advance-giftshop-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25675"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","edirectory","cve-2019-25675"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2019-25675 describes multiple SQL injection vulnerabilities affecting eDirectory. An unauthenticated attacker can exploit these vulnerabilities to bypass administrator authentication and disclose sensitive files. The vulnerability lies in the \u003ccode\u003ekey\u003c/code\u003e parameter of the login endpoint. By injecting SQL code, specifically a UNION-based SQL injection, an attacker can authenticate as an administrator. After successful authentication, the attacker can then exploit file disclosure vulnerabilities in the \u003ccode\u003elanguage_file.php\u003c/code\u003e script to read arbitrary PHP files from the server, potentially exposing sensitive configuration data or credentials. This vulnerability poses a significant risk as it allows unauthorized access and data exfiltration without requiring any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the login endpoint of eDirectory.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003ekey\u003c/code\u003e parameter within the request, using a UNION-based SQL injection technique.\u003c/li\u003e\n\u003cli\u003eThe eDirectory server improperly processes the SQL injection, allowing the attacker to bypass authentication and gain administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker, now authenticated as an administrator, sends a request to the \u003ccode\u003elanguage_file.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a file disclosure vulnerability in the \u003ccode\u003elanguage_file.php\u003c/code\u003e script by manipulating input parameters.\u003c/li\u003e\n\u003cli\u003eThe server, due to the vulnerability, reads the arbitrary PHP file specified by the attacker.\u003c/li\u003e\n\u003cli\u003eThe server returns the contents of the requested PHP file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the disclosed PHP file, potentially revealing sensitive information such as database credentials or configuration details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-25675 allows unauthenticated attackers to gain complete control over the affected eDirectory instance. This can lead to the exfiltration of sensitive data, including user credentials and configuration information. While the specific number of victims is not stated, the potential impact is high considering the widespread use of eDirectory in various sectors. A successful attack could compromise the confidentiality and integrity of critical systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for eDirectory to address the SQL injection vulnerabilities described in CVE-2019-25675.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect eDirectory language_file.php File Disclosure\u003c/code\u003e to detect attempts to exploit the file disclosure vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect eDirectory SQL Injection Attempt\u003c/code\u003e to detect SQL injection attempts against the login endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the login endpoint (\u003ccode\u003e/login\u003c/code\u003e) and \u003ccode\u003elanguage_file.php\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:45Z","date_published":"2026-04-05T21:16:45Z","id":"/briefs/2026-04-edirectory-sqli/","summary":"Unauthenticated attackers can exploit SQL injection vulnerabilities in eDirectory (CVE-2019-25675) to bypass administrator authentication and disclose sensitive files.","title":"eDirectory SQL Injection Vulnerability (CVE-2019-25675)","url":"https://feed.craftedsignal.io/briefs/2026-04-edirectory-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25672"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePilusCart 1.4.1 is susceptible to a SQL injection vulnerability (CVE-2019-25672) that allows unauthenticated attackers to inject malicious SQL code via the \u0026lsquo;send\u0026rsquo; parameter. This vulnerability enables attackers to manipulate database queries, potentially leading to the extraction of sensitive information. The attack involves crafting malicious POST requests to the comment submission endpoint using RLIKE-based boolean SQL injection techniques. Successful exploitation grants attackers unauthorized access to the database, impacting confidentiality and potentially integrity. Defenders need to implement robust input validation and sanitization measures to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the comment submission endpoint in PilusCart 1.4.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the comment submission endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a SQL injection payload within the \u0026lsquo;send\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe payload utilizes RLIKE-based boolean SQL injection to bypass input validation.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious POST request without proper sanitization of the \u0026lsquo;send\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed within the context of the database query.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database through boolean-based inference.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, such as user credentials or financial data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability (CVE-2019-25672) in PilusCart 1.4.1 can lead to the unauthorized disclosure of sensitive data, potentially affecting all users and customers of the vulnerable application. While the number of victims is currently unknown, the impact could be significant depending on the sensitivity of the data stored in the database. This vulnerability can lead to data breaches, financial losses, and reputational damage for organizations using the affected PilusCart version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PilusCart SQL Injection Attempt via Send Parameter\u003c/code\u003e to detect malicious POST requests targeting the comment submission endpoint (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u0026lsquo;send\u0026rsquo; parameter to prevent SQL injection attacks (reference: CVE-2019-25672).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of PilusCart that addresses the SQL injection vulnerability (reference: CVE-2019-25672).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests with RLIKE-based SQL injection payloads in the \u0026lsquo;send\u0026rsquo; parameter (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-piluscart-sqli/","summary":"PilusCart 1.4.1 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter to extract sensitive database information.","title":"PilusCart 1.4.1 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-piluscart-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25668"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25668","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNews Website Script version 2.0.5 is susceptible to SQL injection, as identified by CVE-2019-25668. This vulnerability allows unauthenticated remote attackers to manipulate database queries by injecting malicious SQL code via the \u0026rsquo;news ID\u0026rsquo; parameter. Successful exploitation grants attackers the ability to extract sensitive information directly from the application database. The vulnerability lies within the index.php/show/news/ endpoint and can be exploited via simple HTTP GET requests, making it easily accessible. The risk to organizations using this vulnerable software is significant, potentially leading to data breaches and unauthorized access to confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable instance of News Website Script 2.0.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/index.php/show/news/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a \u003ccode\u003enews\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe web server receives the malicious request and passes the SQL injection payload to the application\u0026rsquo;s database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials, financial information, or proprietary data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2019-25668) can lead to the complete compromise of the affected News Website Script 2.0.5 database. The impact includes unauthorized access to sensitive data, potential data breaches, and the ability for attackers to modify or delete data. The number of potential victims is dependent on the install base of the vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of News Website Script to remediate CVE-2019-25668.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect exploitation attempts targeting the vulnerable endpoint \u003ccode\u003eindex.php/show/news/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input to prevent SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:44Z","date_published":"2026-04-05T21:16:44Z","id":"/briefs/2026-04-news-website-sqli/","summary":"News Website Script 2.0.5 contains an SQL injection vulnerability (CVE-2019-25668) allowing unauthenticated attackers to extract sensitive information by injecting SQL code through the news ID parameter in GET requests.","title":"News Website Script 2.0.5 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-news-website-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25662"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25662","resourcespace"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eResourceSpace 8.6 is susceptible to a critical SQL injection vulnerability (CVE-2019-25662) that allows unauthenticated attackers to execute arbitrary SQL queries. The vulnerability is located within the watched_searches.php endpoint and is triggered through the \u0026lsquo;ref\u0026rsquo; parameter in GET requests. By injecting malicious SQL code into this parameter, attackers can bypass authentication and directly interact with the database, potentially extracting sensitive information such as usernames and credentials. This vulnerability poses a significant risk as it does not require any prior authentication, making exploitation straightforward for remote attackers. ResourceSpace is an open-source digital asset management (DAM) system. Successful exploitation of this vulnerability allows attackers to potentially compromise the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a ResourceSpace 8.6 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload designed to extract data or manipulate the database. This payload is injected into the \u0026lsquo;ref\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to the \u003ccode\u003e/watched_searches.php\u003c/code\u003e endpoint with the crafted SQL payload within the \u003ccode\u003eref\u003c/code\u003e parameter (e.g., \u003ccode\u003ewatched_searches.php?ref=SQL_injection_payload\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ResourceSpace application improperly processes the attacker-supplied SQL payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe database server processes the query and returns the results to the ResourceSpace application.\u003c/li\u003e\n\u003cli\u003eThe ResourceSpace application displays the results, which may include sensitive information like usernames, passwords, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the extracted sensitive data from the application\u0026rsquo;s response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SQL injection vulnerability in ResourceSpace 8.6 can lead to the complete compromise of the affected system. Attackers can gain unauthorized access to sensitive data, including user credentials, financial information, and proprietary data. This could lead to financial loss, reputational damage, and legal liabilities. Given the nature of digital asset management systems, the compromised data might include valuable intellectual property or personally identifiable information (PII), potentially impacting a large number of individuals.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of ResourceSpace to remediate CVE-2019-25662.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ResourceSpace SQL Injection Attempt\u003c/code\u003e to monitor for exploitation attempts against the \u003ccode\u003e/watched_searches.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u0026lsquo;ref\u0026rsquo; parameter within the \u003ccode\u003ewatched_searches.php\u003c/code\u003e endpoint to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious GET requests to \u003ccode\u003ewatched_searches.php\u003c/code\u003e containing unusual characters or SQL keywords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:43Z","date_published":"2026-04-05T21:16:43Z","id":"/briefs/2026-04-resourcespace-sqli/","summary":"ResourceSpace 8.6 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'ref' parameter in GET requests to the watched_searches.php endpoint, leading to sensitive data extraction.","title":"ResourceSpace 8.6 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-resourcespace-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-34717"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openproject","sqli","cve-2026-34717","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenProject, a web-based project management software, is vulnerable to SQL injection in versions prior to 17.2.3. The vulnerability lies within the \u003ccode\u003e=n\u003c/code\u003e operator located in \u003ccode\u003emodules/reporting/lib/report/operator.rb:177\u003c/code\u003e. This operator improperly handles user input by directly embedding it into SQL WHERE clauses without adequate parameterization. An attacker could leverage this flaw to inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion. The vulnerability was reported on April 2, 2026, and patched in version 17.2.3. Organizations using vulnerable versions of OpenProject are at risk of data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenProject instance running a version prior to 17.2.3.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u003ccode\u003e=n\u003c/code\u003e operator within the \u003ccode\u003emodules/reporting/lib/report/operator.rb\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects SQL code through a parameter processed by the vulnerable operator.\u003c/li\u003e\n\u003cli\u003eThe OpenProject application executes the attacker-controlled SQL code against the database due to the lack of input sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication or authorization checks by manipulating the SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database, such as user credentials or project information.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify data within the database, potentially altering project configurations or injecting malicious content.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete database compromise, potentially leading to a full system takeover if database privileges are sufficient.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to significant data breaches, potentially exposing sensitive project data, user credentials, and confidential information. The impact ranges from unauthorized data access and modification to complete database compromise. Depending on the database privileges, this could lead to full system takeover. Organizations in various sectors utilizing vulnerable versions of OpenProject could be affected, resulting in financial losses, reputational damage, and legal liabilities. The CVSS v3.1 base score for this vulnerability is 9.9 (Critical).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenProject instances to version 17.2.3 or later to patch the SQL injection vulnerability (CVE-2026-34717).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting the vulnerable endpoint (\u003ccode\u003emodules/reporting/lib/report/operator.rb\u003c/code\u003e) that contain SQL injection attempts. Deploy the provided Sigma rule \u003ccode\u003eDetect OpenProject SQL Injection Attempt\u003c/code\u003e to detect potential exploitation.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) to filter out malicious requests and prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eReview and harden database access controls to minimize the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eEnable and monitor audit logs for database activity to detect any unauthorized data access or modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T18:16:33Z","date_published":"2026-04-02T18:16:33Z","id":"/briefs/2026-04-openproject-sqli/","summary":"OpenProject versions before 17.2.3 are susceptible to SQL injection due to improper input sanitization in the '=n' operator, potentially allowing remote attackers to execute arbitrary SQL commands.","title":"OpenProject SQL Injection Vulnerability (CVE-2026-34717)","url":"https://feed.craftedsignal.io/briefs/2026-04-openproject-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openstamanager","sqli","cve-2026-28805"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenSTAManager, a management software for technical assistance and invoicing, contains a critical vulnerability that could lead to significant data breaches. Specifically, versions prior to 2.10.2 are vulnerable to Time-Based Blind SQL Injection (CVE-2026-28805) in its AJAX select handlers. The vulnerability exists due to the lack of sanitization, parameterization, or allowlist validation of the \u0026lsquo;options[stato]\u0026rsquo; GET parameter. This allows an authenticated attacker to inject arbitrary SQL queries, potentially compromising the entire database. Successful exploitation allows an attacker to extract sensitive data like usernames, password hashes, and financial records. Organizations using affected versions of OpenSTAManager should upgrade to version 2.10.2 immediately to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker identifies the vulnerable AJAX select handler within the OpenSTAManager application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the vulnerable endpoint, injecting SQL code into the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter (e.g., \u003ccode\u003eoptions[stato]=%' AND SLEEP(5) AND '%'='\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application concatenates the attacker-supplied SQL code directly into a SQL WHERE clause without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL \u003ccode\u003eSLEEP()\u003c/code\u003e function causes a time delay on the server, confirming the successful injection to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker refines the SQL injection payload to extract specific data, such as the database version or user credentials, using conditional \u003ccode\u003eSLEEP()\u003c/code\u003e statements and character-by-character extraction techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through the database structure and tables, extracting sensitive data like usernames and password hashes.\u003c/li\u003e\n\u003cli\u003eUsing the extracted credentials, the attacker gains unauthorized access to administrative functions within OpenSTAManager.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates financial records and other sensitive data from the compromised database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the OpenSTAManager database. This includes the potential exposure of sensitive customer data, financial records, and internal user credentials. The impact could range from financial loss and reputational damage to legal repercussions for failing to protect sensitive information. Given the CVSS v3.1 base score of 8.8, this is a critical vulnerability requiring immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenSTAManager to version 2.10.2 or later to patch CVE-2026-28805.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenSTAManager SQL Injection Attempt\u0026rdquo; to monitor for malicious requests containing SQL injection payloads targeting the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter (see rules).\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing SQL injection patterns, specifically targeting the \u003ccode\u003eoptions[stato]\u003c/code\u003e GET parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for unusual activity and suspicious requests containing SQL syntax within the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:26Z","date_published":"2026-04-02T14:16:26Z","id":"/briefs/2024-01-openstamanager-sqli/","summary":"OpenSTAManager versions before 2.10.2 are susceptible to time-based blind SQL injection via the 'options[stato]' GET parameter, allowing authenticated attackers to extract sensitive database information.","title":"OpenSTAManager Time-Based Blind SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openstamanager-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-5034","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-5034, has been discovered in code-projects Accounting System version 1.0. The vulnerability resides in the \u003ccode\u003e/edit_costumer.php\u003c/code\u003e file within the Parameter Handler component. Attackers can remotely exploit this vulnerability by manipulating the \u003ccode\u003ecos_id\u003c/code\u003e argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability allows unauthenticated remote attackers to potentially execute arbitrary SQL…\u003c/p\u003e\n","date_modified":"2026-03-29T06:16:12Z","date_published":"2026-03-29T06:16:12Z","id":"/briefs/2026-03-code-projects-sqli/","summary":"A remote SQL injection vulnerability exists in code-projects Accounting System 1.0 via manipulation of the 'cos_id' parameter in '/edit_costumer.php', potentially allowing unauthorized database access.","title":"code-projects Accounting System 1.0 SQL Injection Vulnerability (CVE-2026-5034)","url":"https://feed.craftedsignal.io/briefs/2026-03-code-projects-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2026-33755","group-office","jmap"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGroup-Office, an enterprise CRM and groupware tool, contains a critical SQL injection vulnerability affecting versions prior to 6.8.158, 25.0.92, and 26.0.17. The vulnerability resides in the JMAP \u003ccode\u003eContact/query\u003c/code\u003e endpoint. Any authenticated user with basic address book access can exploit this flaw to extract arbitrary data from the database. A successful exploit allows an attacker to retrieve sensitive information such as active session tokens belonging to other users. This can lead to complete account takeover, including the System Administrator account, without requiring the user\u0026rsquo;s password. Applying the security patches released in versions 6.8.158, 25.0.92, and 26.0.17 resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Group-Office application with a valid user account that has basic address book access privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JMAP \u003ccode\u003eContact/query\u003c/code\u003e request containing a SQL injection payload within a parameter processed by the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eThe Group-Office application processes the crafted request without proper sanitization, allowing the SQL injection payload to be executed against the database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection attack is successful, allowing the attacker to extract sensitive information, including session tokens, user credentials, or other privileged data, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the database response and identifies valid session tokens belonging to other users.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session token to hijack another user\u0026rsquo;s session, bypassing normal authentication procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the target user\u0026rsquo;s account, gaining unauthorized access to sensitive data and functionalities.\u003c/li\u003e\n\u003cli\u003eDepending on the compromised user\u0026rsquo;s privileges, the attacker can escalate privileges, access sensitive data, or perform administrative actions, leading to a complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to take over any account within the Group-Office system. The impact includes unauthorized access to sensitive customer data, financial records, and internal communications. System administrators are particularly at risk, as their compromise grants attackers full control over the Group-Office environment. This could lead to data breaches, service disruption, and reputational damage. The CVSS v3.1 base score is rated 8.8, highlighting the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Group-Office instances to version 6.8.158, 25.0.92, or 26.0.17 to patch CVE-2026-33755.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to the \u003ccode\u003e/jmap\u003c/code\u003e endpoint containing potentially malicious SQL syntax, as indicated in the rule \u0026ldquo;Group-Office Suspicious JMAP Contact Query\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group-Office Potential Session Token Theft\u0026rdquo; to detect unauthorized access attempts using potentially stolen session tokens.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization measures to prevent SQL injection vulnerabilities in all web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T15:16:57Z","date_published":"2026-03-27T15:16:57Z","id":"/briefs/2026-03-group-office-sqli/","summary":"An authenticated SQL Injection vulnerability in Group-Office's JMAP Contact/query endpoint allows data extraction, including session tokens, leading to account takeover if unpatched.","title":"Group-Office JMAP Contact/Query SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-group-office-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","rce","sqli","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple critical vulnerabilities have been discovered in n8n, an extendable, node-based workflow automation tool used for connecting SaaS applications and automating complex business logic. These vulnerabilities, identified as CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713, can be exploited by authenticated users. Successful exploitation allows for remote code execution on the host system, reading sensitive local files, and performing unauthorized database operations. The vulnerabilities affect the XML, GSuiteAdmin, and Merge nodes, as well as the Data Table Get node. These flaws represent a critical threat to the confidentiality and integrity of n8n deployments. The Centre for Cybersecurity Belgium (CCB) strongly recommends immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to an n8n instance.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33696, the attacker crafts a malicious request targeting the XML or GSuiteAdmin node to write values to Object.prototype.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33660, the attacker uses the Merge node with the \u0026ldquo;Combine by SQL\u0026rdquo; mode and exploits the AlaSQL sandbox escape to inject arbitrary code.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33713, the attacker crafts a malicious SQL query via the Data Table Get node.\u003c/li\u003e\n\u003cli\u003eThe injected code or SQL commands are executed by the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read sensitive files from the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host, leading to full remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized operations in the database, potentially modifying or deleting data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows an attacker to gain full remote code execution on the n8n host system, potentially compromising the entire server infrastructure. The attacker can also read sensitive local files, potentially exposing credentials and configuration data. In PostgreSQL deployments, the attacker can modify and delete data due to multi-statement execution capabilities via SQL injection (CVE-2026-33713). This can lead to significant data loss and disruption of services relying on the n8n platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch n8n instances to the latest version to address CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713 (reference: CCB advisory).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts in your n8n environment.\u003c/li\u003e\n\u003cli\u003eMonitor n8n logs for suspicious SQL queries and code execution patterns, focusing on the Data Table Get and Merge nodes (reference: CVE-2026-33713 and CVE-2026-33660 descriptions).\u003c/li\u003e\n\u003cli\u003eReview n8n access controls and ensure the principle of least privilege to minimize the impact of potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T09:40:27Z","date_published":"2026-03-27T09:40:27Z","id":"/briefs/2026-03-n8n-vulns/","summary":"Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.","title":"Critical Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-03-n8n-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKomSeo Cart version 1.3 is susceptible to SQL injection attacks through the \u0026lsquo;my_item_search\u0026rsquo; parameter found within the edit.php file. This vulnerability allows unauthenticated attackers to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. Successful exploitation of this flaw enables attackers to extract sensitive information from the database, potentially compromising user credentials, financial data, or other confidential information. The vulnerability can be exploited using boolean-based blind or error-based SQL injection techniques. This poses a significant risk to e-commerce platforms using the affected KomSeo Cart version, potentially leading to data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a KomSeo Cart 1.3 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload specifically designed for the \u0026lsquo;my_item_search\u0026rsquo; parameter in the \u003ccode\u003eedit.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eedit.php\u003c/code\u003e with the \u0026lsquo;my_item_search\u0026rsquo; parameter containing the SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe KomSeo Cart application processes the request and incorporates the malicious SQL code into a database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code.\u003c/li\u003e\n\u003cli\u003eDepending on the type of SQL injection (boolean-based blind or error-based), the attacker analyzes the application\u0026rsquo;s response to infer information about the database structure and data.\u003c/li\u003e\n\u003cli\u003eThe attacker refines the SQL injection payload to extract specific sensitive information, such as usernames, passwords, or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the extracted data for malicious purposes, potentially leading to identity theft, financial fraud, or further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2018-25206) in KomSeo Cart 1.3 can lead to the complete compromise of the affected e-commerce platform\u0026rsquo;s database. Attackers can steal sensitive customer data, including usernames, passwords, addresses, and financial details. This can result in significant financial losses for both the e-commerce business and its customers. The vulnerability affects all installations of KomSeo Cart 1.3 that have not been patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect KomSeo Cart SQL Injection Attempt\u0026rdquo; to detect malicious POST requests to \u003ccode\u003eedit.php\u003c/code\u003e with suspicious SQL payloads in the \u0026lsquo;my_item_search\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003eedit.php\u003c/code\u003e containing SQL-related keywords or functions in the \u0026lsquo;my_item_search\u0026rsquo; parameter (log source: webserver).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of KomSeo Cart that addresses the SQL injection vulnerability, if available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:16:05Z","date_published":"2026-03-26T12:16:05Z","id":"/briefs/2026-03-komseo-sqli/","summary":"KomSeo Cart 1.3 is vulnerable to SQL injection via the 'my_item_search' parameter in edit.php, allowing attackers to inject SQL commands and extract sensitive database information.","title":"KomSeo Cart 1.3 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-komseo-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","web-application","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWecodex Hotel CMS 1.0 is susceptible to an SQL injection vulnerability (CVE-2018-25195) within its admin login feature. Discovered in 2026, this flaw enables unauthenticated attackers to inject malicious SQL code into the \u0026lsquo;username\u0026rsquo; parameter of a POST request sent to the \u0026lsquo;index.php\u0026rsquo; page with the \u0026lsquo;action=processlogin\u0026rsquo; parameter. Successful exploitation could lead to the bypass of authentication mechanisms, potentially granting unauthorized administrative privileges. The vulnerability poses a significant risk to organizations utilizing the vulnerable CMS, as attackers could gain full control over the web application and its underlying data, including user credentials and sensitive business information. This requires immediate attention and patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Wecodex Hotel CMS 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eindex.php\u003c/code\u003e with the parameter \u003ccode\u003eaction=processlogin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL payload is injected into the \u003ccode\u003eusername\u003c/code\u003e parameter of the POST request.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL to the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the authentication query, likely using \u003ccode\u003eOR\u003c/code\u003e clauses and commenting out the rest of the original query.\u003c/li\u003e\n\u003cli\u003eThe manipulated query returns a successful authentication result, bypassing the intended login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the administrative panel of the Wecodex Hotel CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows attackers to bypass authentication controls and gain administrative access to the Wecodex Hotel CMS 1.0. This can lead to full compromise of the system, including the theft of sensitive data such as customer information, financial records, and proprietary business data. Attackers can also modify the website, inject malicious code, or use the compromised server as a launching point for further attacks. Given the potential for complete system compromise, this vulnerability poses a critical risk to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock POST requests to \u003ccode\u003e/index.php\u003c/code\u003e containing suspicious SQL syntax in the \u003ccode\u003eusername\u003c/code\u003e parameter using a web application firewall (WAF) or intrusion detection system (IDS), based on the provided attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts targeting the login functionality of Wecodex Hotel CMS.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Wecodex Hotel CMS that addresses CVE-2018-25195 if available from the vendor.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements in the application code to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:16:04Z","date_published":"2026-03-26T12:16:04Z","id":"/briefs/2026-03-wecodex-sqli/","summary":"Wecodex Hotel CMS 1.0 is vulnerable to SQL injection in the admin login functionality, allowing unauthenticated attackers to bypass authentication and potentially extract sensitive database information or gain administrative access by injecting SQL code through the username parameter in POST requests to index.php with action=processlogin.","title":"Wecodex Hotel CMS 1.0 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-wecodex-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw has been identified in code-projects Simple Laundry System version 1.0. This vulnerability, tracked as CVE-2026-4850, resides within the Parameter Handler component, specifically in the \u003ccode\u003e/checkregisitem.php\u003c/code\u003e file. The vulnerability allows for remote SQL injection through the manipulation of the \u003ccode\u003eLong-arm-shirtVol\u003c/code\u003e argument. Successful exploitation could lead to unauthorized database access, data breaches, or complete system compromise. The availability of a public exploit amplifies the risk, making immediate patching or mitigation crucial. The vulnerability poses a threat to any instance of Simple Laundry System 1.0 accessible over a network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of Simple Laundry System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting \u003ccode\u003e/checkregisitem.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a modified \u003ccode\u003eLong-arm-shirtVol\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL code to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, granting the attacker unauthorized access.\u003c/li\u003e\n\u003cli\u003eAttacker retrieves sensitive data from the database (e.g., user credentials, financial records).\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised data for malicious purposes (e.g., identity theft, financial fraud).\u003c/li\u003e\n\u003cli\u003eAttacker could potentially escalate privileges within the database server to execute arbitrary commands on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could have severe consequences. Attackers could gain unauthorized access to sensitive data stored within the Simple Laundry System\u0026rsquo;s database, including user credentials, transaction histories, and potentially financial information. The number of potential victims is directly proportional to the number of organizations still running the vulnerable Simple Laundry System 1.0. A successful attack could result in data breaches, financial losses, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for Simple Laundry System 1.0 to address CVE-2026-4850.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious checkregisitem.php SQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003e/checkregisitem.php\u003c/code\u003e file to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/checkregisitem.php\u003c/code\u003e endpoint using the IOCs listed in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T08:16:22Z","date_published":"2026-03-26T08:16:22Z","id":"/briefs/2026-03-simple-laundry-sqli/","summary":"A remote SQL Injection vulnerability exists in code-projects Simple Laundry System 1.0 within the Parameter Handler component's /checkregisitem.php file, where manipulating the Long-arm-shirtVol argument can trigger the injection, with a publicly available exploit.","title":"SQL Injection Vulnerability in Simple Laundry System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-03-simple-laundry-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical SQL injection vulnerability has been identified in itsourcecode Online Enrollment System version 1.0. The vulnerability resides within the Parameter Handler component, specifically affecting the \u003ccode\u003e/sms/grades/index.php\u003c/code\u003e file when handling the \u003ccode\u003edeptid\u003c/code\u003e argument. This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Given the public disclosure of the exploit, the risk of exploitation is significantly elevated. Organizations using this software should apply immediate mitigation measures to prevent potential compromise. The affected software is an Online Enrollment System, likely used by educational institutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of itsourcecode Online Enrollment System 1.0 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/sms/grades/index.php?view=edit\u0026amp;id=1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003edeptid\u003c/code\u003e parameter within the URL.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially allowing the attacker to bypass authentication and authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database, such as user credentials, student records, or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker could modify database records, create new administrative accounts, or delete critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the application and the underlying database server, leading to a full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to a full compromise of the Online Enrollment System. This can result in the theft of sensitive student and faculty data, including personally identifiable information (PII), academic records, and financial details. Attackers could also modify grades, alter enrollment data, or disrupt the system\u0026rsquo;s availability, impacting thousands of students and administrative staff. The vulnerability has a CVSS v3.1 base score of 7.3, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious HTTP requests containing SQL injection attempts targeting the \u003ccode\u003e/sms/grades/index.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the itsourcecode Online Enrollment System to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eRestrict access to the database server from the web application server to only necessary accounts and permissions.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and potential exploitation attempts related to CVE-2026-4842.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T05:16:41Z","date_published":"2026-03-26T05:16:41Z","id":"/briefs/2024-01-30-online-enrollment-sqli/","summary":"A remote SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component affecting the `/sms/grades/index.php` file, allowing unauthorized database access and has been publicly disclosed.","title":"SQL Injection Vulnerability in itsourcecode Online Enrollment System 1.0","url":"https://feed.craftedsignal.io/briefs/2024-01-30-online-enrollment-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-4838"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe SourceCodester Malawi Online Market 1.0 is vulnerable to SQL injection (CVE-2026-4838). The vulnerability resides within the \u003ccode\u003e/display.php\u003c/code\u003e file, specifically in how the application handles the \u003ccode\u003eID\u003c/code\u003e parameter. A remote attacker can manipulate this parameter to inject arbitrary SQL commands into the database query. This can potentially allow the attacker to read, modify, or delete sensitive data, or even gain control of the underlying database server. The vulnerability was published on…\u003c/p\u003e\n","date_modified":"2026-03-26T04:17:13Z","date_published":"2026-03-26T04:17:13Z","id":"/briefs/2026-03-malawi-online-market-sqli/","summary":"A remote SQL injection vulnerability (CVE-2026-4838) exists in the /display.php file of SourceCodester Malawi Online Market 1.0 due to improper input sanitization of the ID parameter, potentially allowing attackers to execute arbitrary SQL queries.","title":"SourceCodester Malawi Online Market SQL Injection Vulnerability (CVE-2026-4838)","url":"https://feed.craftedsignal.io/briefs/2026-03-malawi-online-market-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","openemr","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records and medical practice management application, has a critical security flaw. Specifically, versions prior to 8.0.0.3 contain a blind SQL injection vulnerability affecting the Patient Search functionality located at \u003ccode\u003e/interface/new/new_search_popup.php\u003c/code\u003e. Authenticated attackers can exploit this vulnerability, identified as CVE-2026-29187, by manipulating HTTP parameter keys during patient searches. Successful exploitation allows…\u003c/p\u003e\n","date_modified":"2026-03-25T23:17:09Z","date_published":"2026-03-25T23:17:09Z","id":"/briefs/2026-03-openemr-sqli/","summary":"OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.","title":"OpenEMR Blind SQL Injection Vulnerability in Patient Search (CVE-2026-29187)","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Netartmedia Vlog System is susceptible to SQL injection (CVE-2019-25641). An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code through the email parameter in the forgotten_password module. The attacker sends crafted POST requests to index.php to manipulate database queries and extract sensitive information. This vulnerability exists due to improper neutralization of special elements used in an SQL command. This vulnerability was reported in March 2026. Successful exploitation allows attackers to potentially access sensitive data, modify database contents, or even gain unauthorized access to the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Netartmedia Vlog System instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003eindex.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eforgotten_password\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eemail\u003c/code\u003e parameter within the POST data.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the crafted POST request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database.\u003c/li\u003e\n\u003cli\u003eSensitive data, such as user credentials or configuration details, is extracted.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted information for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2019-25641) can lead to unauthorized access to sensitive data within the Netartmedia Vlog System database. Attackers can potentially steal user credentials, modify system settings, or even gain complete control over the application. The number of affected installations is currently unknown, but any system running a vulnerable version of Netartmedia Vlog System is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003eindex.php\u003c/code\u003e with the \u003ccode\u003eforgotten_password\u003c/code\u003e module and suspicious characters in the \u003ccode\u003eemail\u003c/code\u003e parameter to detect potential exploitation attempts (webserver logs).\u003c/li\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the email parameter in the forgotten_password module of the Netartmedia Vlog System to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:16:06Z","date_published":"2026-03-24T12:16:06Z","id":"/briefs/2026-03-netartmedia-sqli/","summary":"Netartmedia Vlog System is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter in the forgotten_password module.","title":"Netartmedia Vlog System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-netartmedia-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["avideo","sqli","cve-2026-33723","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33723) affecting versions up to and including 26.0. The vulnerability resides within the \u003ccode\u003eSubscribe::save()\u003c/code\u003e method located in \u003ccode\u003eobjects/subscribe.php\u003c/code\u003e. The application directly concatenates the \u003ccode\u003e$this-\u0026gt;users_id\u003c/code\u003e property into an INSERT SQL query without proper sanitization or parameterized binding. This property originates from the \u003ccode\u003e$_POST['user_id']\u003c/code\u003e parameter in both…\u003c/p\u003e\n","date_modified":"2026-03-23T19:16:42Z","date_published":"2026-03-23T19:16:42Z","id":"/briefs/2024-05-avideo-sqli/","summary":"WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.","title":"WWBN AVideo SQL Injection Vulnerability (CVE-2026-33723)","url":"https://feed.craftedsignal.io/briefs/2024-05-avideo-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","cve-2026-2580","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory \u0026amp; Filters plugin for WordPress, a widely used plugin for integrating map functionality into WordPress sites, contains a critical time-based SQL Injection vulnerability. Assigned CVE-2026-2580, this flaw affects all versions up to and including 4.9.1. The vulnerability lies within the \u0026lsquo;orderby\u0026rsquo; parameter, where insufficient input sanitization allows unauthenticated attackers to inject malicious SQL queries. By…\u003c/p\u003e\n","date_modified":"2026-03-23T00:16:51Z","date_published":"2026-03-23T00:16:51Z","id":"/briefs/2024-01-wp-maps-sqli/","summary":"The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.","title":"WP Maps WordPress Plugin Time-Based SQL Injection Vulnerability (CVE-2026-2580)","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-maps-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["litellm"],"_cs_severities":["critical"],"_cs_tags":["sqli","litellm","web-application"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability has been identified in LiteLLM, specifically affecting versions 1.81.16 through 1.83.6. The vulnerability resides within the proxy API key verification process. Due to improper sanitization of the \u003ccode\u003eAuthorization\u003c/code\u003e header, an unauthenticated attacker can inject arbitrary SQL commands. This is achieved by sending a specially crafted header to any LLM API route, such as \u003ccode\u003ePOST /chat/completions\u003c/code\u003e, which triggers the vulnerable query through the proxy\u0026rsquo;s error-handling mechanism. Defenders should prioritize patching to version 1.83.7 or later to mitigate this risk, or implement the suggested workaround.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP \u003ccode\u003eAuthorization\u003c/code\u003e header to a LiteLLM API endpoint (e.g., \u003ccode\u003e/chat/completions\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy receives the request and extracts the API key from the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the API key value is directly concatenated into a SQL query string.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SQL query is executed against the proxy\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code to read sensitive data, such as user credentials or API keys, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may further inject SQL code to modify data, potentially granting themselves administrative privileges or compromising other users\u0026rsquo; accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the LiteLLM proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised proxy to access and control connected LLMs, exfiltrate data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to complete compromise of the LiteLLM proxy. Attackers could read or modify sensitive data within the proxy\u0026rsquo;s database, including API keys and credentials. This could lead to unauthorized access to managed LLMs and potentially allow attackers to exfiltrate sensitive data, disrupt services, or gain a foothold for further attacks within the compromised environment. The impact is significant due to the potential for widespread data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to patch the SQL injection vulnerability as detailed in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, set \u003ccode\u003edisable_error_logs: true\u003c/code\u003e in the \u003ccode\u003egeneral_settings\u003c/code\u003e configuration to mitigate the risk as described in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003eAuthorization\u003c/code\u003e headers containing SQL injection payloads to detect potential exploitation attempts. Deploy the provided Sigma rule targeting HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-08T12:00:00Z","date_published":"2024-11-08T12:00:00Z","id":"/briefs/2024-11-litellm-sqli/","summary":"A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.","title":"LiteLLM Proxy API Key Verification SQL Injection","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7506"}],"_cs_exploited":false,"_cs_products":["Hotel Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web application"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Hotel Management System version 1.0 is vulnerable to SQL injection. The vulnerability is located in the \u003ccode\u003e/index.php/reservation/check\u003c/code\u003e endpoint. Specifically, the \u003ccode\u003eroom_type\u003c/code\u003e parameter is not properly sanitized, allowing for the injection of malicious SQL queries. This vulnerability can be exploited remotely and has been publicly disclosed, making it accessible to a wide range of threat actors. Successful exploitation allows attackers to read, modify, or delete sensitive data within the application\u0026rsquo;s database. This could lead to unauthorized access, data breaches, and potential disruption of hotel operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of SourceCodester Hotel Management System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/index.php/reservation/check\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a SQL injection payload within the \u003ccode\u003eroom_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without proper sanitization of the \u003ccode\u003eroom_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials, reservation details, or financial data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted credentials to gain unauthorized access to administrative panels.\u003c/li\u003e\n\u003cli\u003eThe attacker may further compromise the system by modifying data, creating rogue accounts, or planting malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to significant data breaches, impacting both the hotel and its customers. Sensitive customer data, including personal information, reservation details, and payment information, could be exposed. The vulnerability could allow attackers to gain administrative access to the Hotel Management System, leading to further compromise of the system and potential disruption of hotel operations. Depending on the database configuration, the attacker may even be able to execute commands on the underlying operating system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect SQL injection attempts targeting the \u003ccode\u003e/index.php/reservation/check\u003c/code\u003e endpoint in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input, especially the \u003ccode\u003eroom_type\u003c/code\u003e parameter, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003ePatch or upgrade to a secure version of SourceCodester Hotel Management System that addresses this SQL injection vulnerability. If a patch is unavailable, consider implementing a web application firewall (WAF) rule to filter out malicious requests.\u003c/li\u003e\n\u003cli\u003eReview and harden database security configurations to limit the privileges of the database user account used by the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-hotel-management-sqli/","summary":"A SQL injection vulnerability exists in SourceCodester Hotel Management System 1.0 in the /index.php/reservation/check component due to improper sanitization of the room_type parameter, allowing a remote attacker to execute arbitrary SQL commands.","title":"SourceCodester Hotel Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-hotel-management-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["NocoBase"],"_cs_severities":["critical"],"_cs_tags":["sqli","nocobase","cve-2026-41640","injection"],"_cs_type":"advisory","_cs_vendors":["NocoBase"],"content_html":"\u003cp\u003eA SQL injection vulnerability exists in NocoBase version 2.0.32 and earlier due to string concatenation in the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function within the \u003ccode\u003e@nocobase/database\u003c/code\u003e core package. The vulnerability stems from how the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function constructs a recursive CTE query by concatenating \u003ccode\u003enodeIds\u003c/code\u003e instead of using parameterized queries. An attacker with record creation permissions on a tree collection with string-type primary keys can inject arbitrary SQL via a malicious string primary key value in a created record. This injection is triggered when a subsequent request initiates recursive eager loading on that collection. This can lead to confidentiality breaches (extraction of database values including credentials), integrity issues (data manipulation via stacked queries), and availability problems (resource exhaustion). On PostgreSQL with superuser privileges, OS command execution is possible. The vulnerability affects all collections using a tree/adjacency-list structure with string primary keys. The same concatenation pattern also exists in \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e. The vulnerability is tracked as CVE-2026-41640.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the NocoBase application with privileges to create records in a collection.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a \u0026ldquo;tree\u0026rdquo; collection that utilizes a string-type primary key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious primary key string containing SQL injection payload, such as \u003ccode\u003eroot') UNION ALL SELECT CAST((SELECT email FROM users LIMIT 1) AS integer)::text, NULL::text WHERE ('1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new record in the target collection using the crafted malicious primary key.\u003c/li\u003e\n\u003cli\u003eA subsequent request is made that triggers recursive eager loading on the target collection, specifically when a \u003ccode\u003eBelongsTo\u003c/code\u003e association has \u003ccode\u003erecursively: true\u003c/code\u003e and instances exist, calling the vulnerable \u003ccode\u003equeryParentSQL\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003equeryParentSQL\u003c/code\u003e function concatenates the malicious primary key into the SQL query without proper sanitization or parameterization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database, allowing the attacker to extract sensitive data via error messages or potentially perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the extracted data from the error messages or through other means, such as direct database access if integrity is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SQL injection vulnerability can lead to severe consequences. Successful exploitation can result in the unauthorized disclosure of sensitive information, including database credentials and other user data. Attackers can potentially modify data or execute arbitrary commands on the database server, leading to data corruption or system compromise. In the case of PostgreSQL databases with superuser privileges, attackers might gain operating system-level access. The vulnerability affects all collections using tree/adjacency-list structure with string-type primary keys, increasing the attack surface. Confirmed extractions include version information, database names, emails, and password hashes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NocoBase SQL Injection Attempt in Primary Key\u003c/code\u003e to your SIEM to detect attempts to exploit this vulnerability via malicious primary key values.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix from the advisory by using parameterized queries in \u003ccode\u003epackages/core/database/src/eager-loading/eager-loading-tree.ts\u003c/code\u003e as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eApply the same fix to \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e to address the identical concatenation pattern as described in the overview.\u003c/li\u003e\n\u003cli\u003eValidate primary key values at record creation time to reject or escape values containing SQL metacharacters (\u003ccode\u003e'\u003c/code\u003e, \u003ccode\u003e\u0026quot;\u003c/code\u003e, \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e--\u003c/code\u003e) in string-type primary key fields, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nocobase-sqli/","summary":"NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.","title":"NocoBase SQL Injection via Recursive Eager Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-nocobase-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Sqli","version":"https://jsonfeed.org/version/1.1"}