{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/web-application/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-web (\u003c= 2.7.8)","openmrs-web (\u003e= 2.8.0, \u003c= 2.8.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","rce","openmrs","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the \u003ccode\u003ePOST /openmrs/ws/rest/v1/module\u003c/code\u003e endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted \u003ccode\u003e.omod\u003c/code\u003e archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e function, an oversight compared to other extraction methods within the same codebase that are properly protected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.omod\u003c/code\u003e file containing a ZIP entry with a path traversal payload, such as \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint, uploading the malicious \u003ccode\u003e.omod\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and parses the uploaded \u003ccode\u003e.omod\u003c/code\u003e file, treating it as a ZIP archive.\u003c/li\u003e\n\u003cli\u003eDuring module loading via \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e, the server extracts entries under the \u003ccode\u003eweb/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete check, the entry \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e passes the initial validation.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended \u003ccode\u003eWEB-INF/view/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS\u0026rsquo;s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenMRS Malicious Module Upload\u003c/code\u003e to identify exploitation attempts based on HTTP requests to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint with suspicious file extensions in the query parameters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule \u003ccode\u003eDetect JSP File Creation in Web Application Root\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003emodule.allow_web_admin\u003c/code\u003e restriction consistently across all module upload entry points, including the REST API to prevent bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:39:31Z","date_published":"2026-05-04T17:39:31Z","id":"/briefs/2024-01-openmrs-zip-slip/","summary":"OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.","title":"OpenMRS Module Upload Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Quarkus Vertx HTTP (\u003c 3.20.6.1)","Quarkus Vertx HTTP (\u003e= 3.21.0, \u003c 3.27.3.1)","Quarkus Vertx HTTP (\u003e= 3.30.0, \u003c 3.33.1.1)","Quarkus Vertx HTTP (\u003e= 3.34.0, \u003c 3.35.1.1)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability exists in Quarkus Vertx HTTP versions \u0026lt; 3.20.6.1, \u0026gt;= 3.21.0 and \u0026lt; 3.27.3.1, \u0026gt;= 3.30.0 and \u0026lt; 3.33.1.1, and \u0026gt;= 3.34.0 and \u0026lt; 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (\u003ccode\u003e;\u003c/code\u003e) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus\u0026rsquo;s security layer checks the raw URL path, while RESTEasy Reactive\u0026rsquo;s routing layer strips matrix parameters before matching endpoints. This means a request like \u003ccode\u003e/api/admin;anything\u003c/code\u003e can bypass authorization for \u003ccode\u003e/api/admin\u003c/code\u003e while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected endpoint, such as \u003ccode\u003e/api/admin\u003c/code\u003e, that requires authentication or specific privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as \u003ccode\u003e/api/admin;anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Quarkus Vertx HTTP server.\u003c/li\u003e\n\u003cli\u003eQuarkus\u0026rsquo;s security layer performs an authorization check on the raw URL path \u003ccode\u003e/api/admin;anything\u003c/code\u003e, which may not match the intended authorization rules for \u003ccode\u003e/api/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRESTEasy Reactive\u0026rsquo;s routing layer strips the matrix parameters (\u003ccode\u003e;anything\u003c/code\u003e) from the URL, resulting in the endpoint \u003ccode\u003e/api/admin\u003c/code\u003e being matched.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the protected endpoint \u003ccode\u003e/api/admin\u003c/code\u003e, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Quarkus Vertx HTTP to a patched version (\u0026gt;= 3.20.6.1, \u0026gt;= 3.27.3.1, \u0026gt;= 3.33.1.1, \u0026gt;= 3.35.1.1) to remediate CVE-2026-39852.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Quarkus Authorization Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the \u003ccode\u003eMonitor Semicolons in URL Path\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:20:20Z","date_published":"2026-05-04T17:20:20Z","id":"/briefs/2026-05-quarkus-auth-bypass/","summary":"Quarkus Vertx HTTP versions \u003c 3.20.6.1, \u003e= 3.21.0 and \u003c 3.27.3.1, \u003e= 3.30.0 and \u003c 3.33.1.1, and \u003e= 3.34.0 and \u003c 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.","title":"Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters","url":"https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Langflow"],"_cs_severities":["critical"],"_cs_tags":["langflow","code-execution","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow is vulnerable to multiple security flaws that could allow a remote attacker to execute arbitrary code on the affected system. Successful exploitation of these vulnerabilities requires the attacker to be authenticated. The specific nature of these vulnerabilities is not detailed in the advisory, however the potential impact is severe, allowing for complete system compromise if successfully exploited. Defenders should prioritize identifying and mitigating installations of Langflow that are exposed to untrusted networks or users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker gains initial access to the Langflow application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting one of the unspecified vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to the Langflow server.\u003c/li\u003e\n\u003cli\u003eThe Langflow server processes the request, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to inject arbitrary code into the Langflow process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the Langflow application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a remote, authenticated attacker to execute arbitrary code on the Langflow server. This could lead to a complete compromise of the affected system, including the theft of sensitive data, the installation of malware, and the disruption of services. Given the lack of specific vulnerability details, it is difficult to estimate the precise number of potentially affected installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Langflow application logs for suspicious activity indicative of unauthorized access or code execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls for the Langflow application to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:39:06Z","date_published":"2026-05-04T10:39:06Z","id":"/briefs/2026-05-langflow-code-exec/","summary":"An authenticated remote attacker can exploit multiple unspecified vulnerabilities in Langflow to achieve arbitrary code execution.","title":"Langflow Multiple Vulnerabilities Allow Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-langflow-code-exec/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7710"}],"_cs_exploited":false,"_cs_products":["yudao-cloud \u003c= 3.8.0","Ruoyi-Vue-Pro"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","cve-2026-7710","web application"],"_cs_type":"advisory","_cs_vendors":["YunaiV"],"content_html":"\u003cp\u003eCVE-2026-7710 is an authentication bypass vulnerability affecting YunaiV\u0026rsquo;s yudao-cloud, specifically versions up to 3.8.0. The vulnerability resides in the \u003ccode\u003edoFilterInternal\u003c/code\u003e function within the \u003ccode\u003eJwtAuthenticationTokenFilter.java\u003c/code\u003e file of the Ruoyi-Vue-Pro component. An attacker can exploit this vulnerability by manipulating the \u003ccode\u003emock-token\u003c/code\u003e argument, leading to improper authentication. This allows a remote attacker to potentially gain unauthorized access to the application. Public exploits are available, increasing the risk of exploitation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a YunaiV yudao-cloud instance running a vulnerable version (\u0026lt;= 3.8.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting an endpoint protected by authentication.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003emock-token\u003c/code\u003e argument designed to bypass the JWT authentication filter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJwtAuthenticationTokenFilter.java\u003c/code\u003e component processes the request and improperly validates the manipulated \u003ccode\u003emock-token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the flawed authentication logic, the attacker is granted unauthorized access as an authenticated user.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to protected resources and functionalities within the application.\u003c/li\u003e\n\u003cli\u003eAttacker performs privileged actions such as data modification, account takeover, or further exploitation of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7710 allows attackers to bypass authentication and gain unauthorized access to YunaiV yudao-cloud applications. This can lead to the compromise of sensitive data, modification of application settings, and potentially full system takeover. Given the availability of public exploits, organizations using affected versions of yudao-cloud are at high risk. The CVSS v3.1 base score for this vulnerability is 7.3, indicating a high severity level.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade YunaiV yudao-cloud to a patched version that addresses CVE-2026-7710.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Mock Token Argument\u003c/code\u003e to identify exploitation attempts by monitoring web server logs for the presence of a \u003ccode\u003emock-token\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the server side to ensure that \u003ccode\u003emock-token\u003c/code\u003e values conform to expected patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T00:16:39Z","date_published":"2026-05-04T00:16:39Z","id":"/briefs/2026-05-yunai-auth-bypass/","summary":"YunaiV yudao-cloud up to version 3.8.0 is vulnerable to an authentication bypass (CVE-2026-7710) due to improper handling of the mock-token argument in the JwtAuthenticationTokenFilter.java file, allowing remote attackers to bypass authentication.","title":"YunaiV yudao-cloud Authentication Bypass Vulnerability (CVE-2026-7710)","url":"https://feed.craftedsignal.io/briefs/2026-05-yunai-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7698"}],"_cs_exploited":false,"_cs_products":["Easy7 Integrated Management Platform (7.17.0)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7698","command-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Tiandy"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7698, has been identified in Tiandy Easy7 Integrated Management Platform version 7.17.0. This vulnerability resides within the \u003ccode\u003e/Easy7/rest/systemInfo/updateDbBackupInfo\u003c/code\u003e file, specifically related to the \u003ccode\u003eweek\u003c/code\u003e argument. Successful exploitation allows for arbitrary OS command injection. This vulnerability is remotely exploitable, meaning an attacker can trigger it over the network without needing local access. Publicly available exploit code exists, increasing the likelihood of exploitation. The vendor was notified but has not responded. Defenders should take immediate action to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tiandy Easy7 Integrated Management Platform running version 7.17.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/Easy7/rest/systemInfo/updateDbBackupInfo\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a payload within the \u003ccode\u003eweek\u003c/code\u003e argument designed to inject OS commands.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly sanitize or validate the \u003ccode\u003eweek\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application executes the injected OS command with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further actions such as installing malware, exfiltrating data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7698 allows an attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data breaches, denial of service, or further lateral movement within the network. Given the publicly available exploit, organizations using Tiandy Easy7 Integrated Management Platform 7.17.0 are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches from Tiandy if they become available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/Easy7/rest/systemInfo/updateDbBackupInfo\u003c/code\u003e containing suspicious characters or command injection attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Requests to updateDbBackupInfo\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eweek\u003c/code\u003e argument within the \u003ccode\u003e/Easy7/rest/systemInfo/updateDbBackupInfo\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by the web server, using the Sigma rule \u003ccode\u003eDetect OS Command Injection via Web Request\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the Tiandy Easy7 Integrated Management Platform to only authorized users and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T14:16:27Z","date_published":"2026-05-03T14:16:27Z","id":"/briefs/2026-05-tiandy-command-injection/","summary":"CVE-2026-7698 allows for remote OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 via manipulation of the 'week' argument in the /Easy7/rest/systemInfo/updateDbBackupInfo file.","title":"Tiandy Easy7 Integrated Management Platform OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-tiandy-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7670"}],"_cs_exploited":false,"_cs_products":["OA 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7670","web-application"],"_cs_type":"threat","_cs_vendors":["Jinher"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-7670, affects Jinher OA 1.0, a web-based office automation software. The vulnerability resides within the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, specifically in how the application handles the \u0026lsquo;DeptIDList\u0026rsquo; argument. An unauthenticated remote attacker can manipulate this argument to inject malicious SQL code into database queries. The vulnerability was reported to the vendor; however, there has been no response, and an exploit is publicly available. This lack of response and the availability of an exploit increases the risk to organizations using the affected Jinher OA 1.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Jinher OA 1.0 instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/C6/JHSoft.Web.PlanSummarize/UserSel.aspx\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003eDeptIDList\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize or validate the \u003ccode\u003eDeptIDList\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed directly into a SQL query executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed by the database server, potentially allowing the attacker to bypass authentication, extract sensitive data, or modify data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information, such as user credentials, internal configurations, or financial data, depending on the database structure and injected SQL commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages compromised data to gain further access, escalate privileges, or conduct lateral movement within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7670) can lead to unauthorized access to sensitive data, including user credentials, financial records, and internal communications. An attacker could potentially gain complete control over the affected Jinher OA 1.0 system and the underlying database. This could result in significant data breaches, financial losses, reputational damage, and disruption of business operations. Given the lack of vendor response, organizations using Jinher OA 1.0 are particularly vulnerable and should take immediate action to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/C6/JHSoft.Web.PlanSummarize/UserSel.aspx\u003c/code\u003e containing suspicious characters or SQL keywords within the \u003ccode\u003eDeptIDList\u003c/code\u003e parameter, as covered by the Sigma rule \u0026ldquo;Detect Jinher OA SQL Injection Attempt via DeptIDList\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all user-supplied data, especially the \u003ccode\u003eDeptIDList\u003c/code\u003e parameter in \u003ccode\u003e/C6/JHSoft.Web.PlanSummarize/UserSel.aspx\u003c/code\u003e, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Generic SQL Injection Attempt\u0026rdquo; to identify broader SQL injection attempts across your web applications.\u003c/li\u003e\n\u003cli\u003eGiven the vendor\u0026rsquo;s lack of response, consider isolating the affected Jinher OA 1.0 instance from the network or replacing it with a more secure alternative.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T23:16:16Z","date_published":"2026-05-02T23:16:16Z","id":"/briefs/2024-01-jinher-oa-sqli/","summary":"Jinher OA 1.0 is vulnerable to remote SQL injection via the DeptIDList parameter in the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, potentially allowing attackers to execute arbitrary SQL queries.","title":"Jinher OA 1.0 SQL Injection Vulnerability (CVE-2026-7670)","url":"https://feed.craftedsignal.io/briefs/2024-01-jinher-oa-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7630"}],"_cs_exploited":true,"_cs_products":["InnoShop (\u003c= 0.7.8)"],"_cs_severities":["high"],"_cs_tags":["cve","authentication bypass","web application"],"_cs_type":"threat","_cs_vendors":["innocommerce"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7630, affects innocommerce InnoShop versions up to 0.7.8. The vulnerability resides in the \u003ccode\u003eInstallServiceProvider::boot\u003c/code\u003e function within the \u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e file, which governs the installation endpoint. Successful exploitation allows remote attackers to bypass authentication mechanisms, potentially leading to complete system compromise. Publicly available exploits exist, increasing the risk of active exploitation. It is crucial for administrators to apply the provided patch (identifier: \u003ccode\u003e45758e4ec22451ab944ae2ae826b1e70f6450dc9\u003c/code\u003e) immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an InnoShop instance running a vulnerable version (\u0026lt;= 0.7.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the installation endpoint (\u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request exploits the improper authentication in the \u003ccode\u003eInstallServiceProvider::boot\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAuthentication checks are bypassed due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the installation process.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code or configurations during the installation phase.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with elevated privileges, granting the attacker control over the InnoShop instance.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a persistent backdoor for future access and potential data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7630 allows unauthenticated remote attackers to compromise InnoShop installations. This can lead to complete control of the web server, potentially affecting sensitive customer data, financial information, and intellectual property.  Given the ease of exploitation and publicly available exploits, unpatched InnoShop instances are at high risk of compromise.  The number of affected installations is currently unknown, but the widespread use of InnoShop in e-commerce makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patch identified by \u003ccode\u003e45758e4ec22451ab944ae2ae826b1e70f6450dc9\u003c/code\u003e to remediate the improper authentication vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect InnoShop Installation Endpoint Access\u0026rdquo; to identify unauthorized access attempts to the installation endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e path, based on \u0026ldquo;Detect InnoShop Installation Endpoint Access\u0026rdquo; to identify post-exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:18Z","date_published":"2026-05-02T14:16:18Z","id":"/briefs/2026-05-innoshop-auth-bypass/","summary":"InnoShop version 0.7.8 and earlier contains an improper authentication vulnerability in the InstallServiceProvider::boot function (CVE-2026-7630) that allows remote attackers to bypass authentication and gain unauthorized access to the installation endpoint.","title":"InnoShop Improper Authentication Vulnerability (CVE-2026-7630)","url":"https://feed.craftedsignal.io/briefs/2026-05-innoshop-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7632"}],"_cs_exploited":false,"_cs_products":["Online Hospital Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eCVE-2026-7632 is a critical security flaw affecting code-projects Online Hospital Management System version 1.0. The vulnerability lies within the \u003ccode\u003e/viewappointment.php\u003c/code\u003e file, where insufficient input validation allows for SQL injection via the \u003ccode\u003edelid\u003c/code\u003e argument. A remote attacker can exploit this vulnerability to inject arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly disclosed, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected system, as it could compromise sensitive patient data and disrupt hospital operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of code-projects Online Hospital Management System 1.0 running the vulnerable \u003ccode\u003e/viewappointment.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/viewappointment.php\u003c/code\u003e with a specially crafted \u003ccode\u003edelid\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003edelid\u003c/code\u003e input, allowing the injected SQL code to be passed to the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database server.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data such as patient records, usernames, and passwords from the database using SQL queries like \u003ccode\u003eUNION SELECT\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially escalate privileges within the application by manipulating user roles or injecting administrative accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7632 can lead to severe consequences, including unauthorized access to sensitive patient data, such as medical history, personal information, and financial records. Attackers could modify or delete critical data, disrupting hospital operations and potentially impacting patient care. The vulnerability could also allow attackers to gain control of the system, leading to further malicious activities like data exfiltration or ransomware deployment. This poses a significant risk to the privacy and security of patient information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection in Online Hospital Management System\u003c/code\u003e to your SIEM to identify exploitation attempts targeting the \u003ccode\u003e/viewappointment.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures in the \u003ccode\u003e/viewappointment.php\u003c/code\u003e script to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of code-projects Online Hospital Management System that addresses CVE-2026-7632 (if available).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:18Z","date_published":"2026-05-02T14:16:18Z","id":"/briefs/2026-05-online-hospital-management-sql-injection/","summary":"CVE-2026-7632 is a SQL injection vulnerability in code-projects Online Hospital Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'delid' argument in the '/viewappointment.php' file.","title":"code-projects Online Hospital Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-online-hospital-management-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7590"}],"_cs_exploited":false,"_cs_products":["p_69_branch_monkey_mcp"],"_cs_severities":["critical"],"_cs_tags":["command-injection","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["eyal-gor"],"content_html":"\u003cp\u003eA critical OS command injection vulnerability, CVE-2026-7590, has been identified in the Preview Endpoint of eyal-gor\u0026rsquo;s p_69_branch_monkey_mcp. This vulnerability affects versions up to commit 69bc71874ce40050ef45fde5a435855f18af3373. A remote attacker can exploit this flaw by manipulating the \u003ccode\u003edev_script\u003c/code\u003e argument within the \u003ccode\u003ebranch_monkey_mcp/bridge_and_local_actions/routes/advanced.py\u003c/code\u003e file.  Successful exploitation allows for arbitrary command execution on the host operating system. The exploit is publicly available, increasing the risk of widespread exploitation. The vendor has been notified but has not yet responded. The lack of versioning makes it difficult to determine the exact scope of affected installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of p_69_branch_monkey_mcp running a web server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Preview Endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a payload in the \u003ccode\u003edev_script\u003c/code\u003e argument designed to inject OS commands via the \u003ccode\u003ebranch_monkey_mcp/bridge_and_local_actions/routes/advanced.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, passing the attacker-controlled \u003ccode\u003edev_script\u003c/code\u003e argument to a function that executes system commands without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the server, potentially with the privileges of the web server user. For example, an attacker could inject \u003ccode\u003els -la\u003c/code\u003e to list directory contents.\u003c/li\u003e\n\u003cli\u003eThe output of the injected command is returned to the attacker via the web server\u0026rsquo;s response, confirming successful command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial command execution to escalate privileges, install persistent backdoors, or move laterally within the network, depending on the server\u0026rsquo;s configuration and accessible resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7590 allows a remote attacker to execute arbitrary OS commands on the affected server. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The lack of version information makes it difficult to ascertain the number of vulnerable installations, but given the publicly available exploit, widespread exploitation is possible. Organizations using p_69_branch_monkey_mcp are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the Preview Endpoint and containing potentially malicious payloads in the \u003ccode\u003edev_script\u003c/code\u003e parameter as described in the attack chain. Use the \u0026ldquo;p_69_branch_monkey_mcp_command_injection\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect process creation events for unexpected processes spawned by the web server, indicating potential command injection. Use the \u0026ldquo;p_69_branch_monkey_mcp_unexpected_process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003edev_script\u003c/code\u003e parameter in the \u003ccode\u003ebranch_monkey_mcp/bridge_and_local_actions/routes/advanced.py\u003c/code\u003e file to prevent command injection.\u003c/li\u003e\n\u003cli\u003eAlthough specific vulnerable versions are unavailable, immediately investigate and patch any instances of \u003ccode\u003ep_69_branch_monkey_mcp\u003c/code\u003e due to the public exploit availability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:00:00Z","date_published":"2026-05-02T12:00:00Z","id":"/briefs/2026-05-branch-monkey-mcp-command-injection/","summary":"A remote attacker can inject OS commands by manipulating the dev_script argument in the Preview Endpoint of eyal-gor's p_69_branch_monkey_mcp (up to commit 69bc71874ce40050ef45fde5a435855f18af3373), leading to arbitrary code execution on the server.","title":"OS Command Injection Vulnerability in p_69_branch_monkey_mcp Preview Endpoint (CVE-2026-7590)","url":"https://feed.craftedsignal.io/briefs/2026-05-branch-monkey-mcp-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7491"}],"_cs_exploited":false,"_cs_products":["School App"],"_cs_severities":["high"],"_cs_tags":["idor","vulnerability","web application","cve-2026-7491"],"_cs_type":"advisory","_cs_vendors":["Zyosoft"],"content_html":"\u003cp\u003eThe Zyosoft School App is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2026-7491. This flaw allows authenticated remote attackers to bypass authorization controls by modifying specific parameters within the application\u0026rsquo;s requests. By manipulating these parameters, attackers can gain unauthorized access to sensitive data belonging to other users, as well as modify that data. Successful exploitation allows unauthorized data access and modification, potentially leading to data breaches, privacy violations, and manipulation of user accounts. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Zyosoft School App using valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a request that includes a user-controlled parameter referencing a specific object (e.g., user ID, record number).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the value of this parameter to reference a different object belonging to another user.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request to the server.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, processes the request using the attacker-supplied object reference.\u003c/li\u003e\n\u003cli\u003eThe server returns the data associated with the targeted user\u0026rsquo;s object to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker can further modify parameters to alter the data of the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully reads or modifies the targeted user\u0026rsquo;s data without proper authorization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7491 allows authenticated attackers to read and modify other users\u0026rsquo; data within the Zyosoft School App. This can lead to severe consequences, including unauthorized access to sensitive student or staff information, modification of grades or attendance records, and potential data breaches. The number of affected users depends on the app\u0026rsquo;s deployment size, but any instance is vulnerable. This issue could affect any educational institution using the Zyosoft School App.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests containing unusual parameter modifications, specifically those referencing user IDs or other sensitive data fields (webserver logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to access or modify resources using potentially manipulated object references (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement robust authorization checks in the Zyosoft School App to verify that users only have access to resources they are explicitly authorized to access.\u003c/li\u003e\n\u003cli\u003eContact Zyosoft for a patch addressing CVE-2026-7491.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T10:16:19Z","date_published":"2026-05-02T10:16:19Z","id":"/briefs/2026-05-zyosoft-school-app-idor/","summary":"Zyosoft's School App contains an Insecure Direct Object Reference vulnerability (CVE-2026-7491) that allows authenticated remote attackers to modify parameters and access or modify other users' data.","title":"Zyosoft School App Insecure Direct Object Reference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-zyosoft-school-app-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7489"}],"_cs_exploited":false,"_cs_products":["CTMS"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-7489","web-application"],"_cs_type":"advisory","_cs_vendors":["Sunnet"],"content_html":"\u003cp\u003eA SQL Injection vulnerability, identified as CVE-2026-7489, exists in CTMS developed by Sunnet. This flaw allows authenticated remote attackers to inject arbitrary SQL commands. Successful exploitation could allow the attackers to read, modify, and delete database contents. The vulnerability was published on May 2, 2026. The scope of this vulnerability affects systems running the vulnerable CTMS software, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the CTMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an endpoint vulnerable to SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query designed to exploit the injection point, likely using tools like Burp Suite or SQLMap.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the SQL payload via a crafted HTTP request, targeting vulnerable parameters within the request.\u003c/li\u003e\n\u003cli\u003eThe CTMS application executes the injected SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication or authorization controls to gain elevated privileges within the application or database.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data from the database, such as user credentials or confidential business information.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or deletes database entries, leading to data corruption or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could allow attackers to read sensitive information, modify data, or delete critical database contents. This could lead to a complete compromise of the CTMS application and its underlying database, impacting all users and data managed by the system. The severity is heightened by the potential for attackers to gain complete control over the database, leading to significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade CTMS to a version that addresses CVE-2026-7489 as soon as it becomes available from Sunnet.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts\u0026rdquo; to identify potential exploitation attempts against CTMS (see below).\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious activity indicative of SQL injection attempts, specifically looking for unusual characters or SQL syntax in HTTP request parameters.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in CTMS and other web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T10:16:18Z","date_published":"2026-05-02T10:16:18Z","id":"/briefs/2026-05-sunnet-ctms-sqli/","summary":"Sunnet CTMS is vulnerable to SQL injection (CVE-2026-7489), allowing authenticated remote attackers to execute arbitrary SQL commands and compromise the database.","title":"Sunnet CTMS SQL Injection Vulnerability (CVE-2026-7489)","url":"https://feed.craftedsignal.io/briefs/2026-05-sunnet-ctms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7594"}],"_cs_exploited":false,"_cs_products":["mcp-game-asset-gen 0.1.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["Flux159"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7594, has been discovered in Flux159 mcp-game-asset-gen version 0.1.0. The vulnerability resides within the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function located in the \u003ccode\u003esrc/index.ts\u003c/code\u003e file of the MCP Interface component. Successful exploitation allows a remote attacker to manipulate the \u003ccode\u003estatusFile\u003c/code\u003e argument, potentially leading to unauthorized file access and modification. Public exploits are available, increasing the risk of widespread exploitation. The project maintainers were notified via an issue report, but have not yet addressed the vulnerability. This lack of response, coupled with the existence of public exploits, elevates the urgency for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of mcp-game-asset-gen 0.1.0 running on a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003estatusFile\u003c/code\u003e argument to include path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request, using the attacker-controlled \u003ccode\u003estatusFile\u003c/code\u003e value to construct a file path.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read or write to a file outside the intended directory, based on the manipulated path.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to sensitive files or overwrites critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to further compromise the system, potentially leading to code execution or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability could allow attackers to read sensitive files, overwrite critical system files, or even achieve remote code execution on the affected server. This could lead to data breaches, system instability, or complete server compromise. Given the availability of public exploits, organizations using mcp-game-asset-gen 0.1.0 are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003estatusFile\u003c/code\u003e argument within the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function to prevent path traversal, addressing CVE-2026-7594.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in the \u003ccode\u003estatusFile\u003c/code\u003e parameter using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule targeting process creation events related to the exploitation of CVE-2026-7594.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T21:16:17Z","date_published":"2026-05-01T21:16:17Z","id":"/briefs/2026-05-mcp-game-asset-gen-path-traversal/","summary":"A path traversal vulnerability exists in Flux159 mcp-game-asset-gen version 0.1.0, where manipulation of the `statusFile` argument in the `image_to_3d_async` function allows for remote exploitation.","title":"Flux159 mcp-game-asset-gen Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-mcp-game-asset-gen-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7592"}],"_cs_exploited":false,"_cs_products":["Courier Management System (1.0)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["itsourcecode"],"content_html":"\u003cp\u003eitsourcecode Courier Management System 1.0 is vulnerable to a SQL injection vulnerability. The vulnerability resides in the \u003ccode\u003e/edit_staff.php\u003c/code\u003e file and can be exploited by manipulating the \u003ccode\u003eID\u003c/code\u003e argument. This allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly available, increasing the risk of exploitation. The vulnerability was reported on May 1, 2026, and affects version 1.0 of the Courier Management System.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003e/edit_staff.php\u003c/code\u003e endpoint in the Courier Management System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload within the \u003ccode\u003eID\u003c/code\u003e parameter of a HTTP GET or POST request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the \u003ccode\u003e/edit_staff.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eID\u003c/code\u003e parameter, allowing the SQL injection payload to be processed by the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query is executed against the database, potentially allowing the attacker to bypass authentication or authorization controls.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials, financial records, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies data in the database, potentially altering application behavior or causing data corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the database server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could allow attackers to read, modify, or delete sensitive data within the Courier Management System database. This could lead to unauthorized access to customer information, financial data, and other confidential records. Given the public availability of the exploit, organizations using Courier Management System 1.0 are at a high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003e/edit_staff.php\u003c/code\u003e to prevent SQL injection (CVE-2026-7592).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential SQL injection attempts targeting the \u003ccode\u003e/edit_staff.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to block known SQL injection payloads (CVE-2026-7592).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:16:24Z","date_published":"2026-05-01T20:16:24Z","id":"/briefs/2026-05-courier-mgmt-sqli/","summary":"itsourcecode Courier Management System 1.0 is vulnerable to SQL Injection via the ID parameter in /edit_staff.php, potentially allowing remote attackers to execute arbitrary SQL commands.","title":"SQL Injection Vulnerability in itsourcecode Courier Management System","url":"https://feed.craftedsignal.io/briefs/2026-05-courier-mgmt-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7549"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eOn May 1, 2026, a SQL injection vulnerability, CVE-2026-7549, was disclosed in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides in the \u003ccode\u003e/ajax.php?action=delete_customer\u003c/code\u003e endpoint, where the \u003ccode\u003eID\u003c/code\u003e parameter is susceptible to manipulation, enabling remote attackers to inject arbitrary SQL commands. Publicly available exploit code exists, increasing the risk of exploitation. Successful exploitation can lead to unauthorized data access, modification, or deletion within the application\u0026rsquo;s database. This vulnerability is particularly concerning due to the sensitive nature of pharmacy data, potentially impacting confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies the vulnerable \u003ccode\u003e/ajax.php?action=delete_customer\u003c/code\u003e endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003eID\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eID\u003c/code\u003e parameter before incorporating it into a SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, such as customer information, prescription details, or inventory levels.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database, potentially disrupting pharmacy operations or causing data integrity issues.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7549) can lead to the complete compromise of the SourceCodester Pharmacy Sales and Inventory System database. Attackers could potentially exfiltrate sensitive patient data, modify prescription information, or disrupt pharmacy operations by deleting critical data. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of victims and specific sectors targeted remain unknown, but any pharmacy using the affected version is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to all user-supplied input, especially the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003e/ajax.php?action=delete_customer\u003c/code\u003e, to prevent SQL injection (CWE-89).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SQL Injection Attempts in Pharmacy Sales System\u0026rdquo; to identify and block malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of SourceCodester Pharmacy Sales and Inventory System that addresses CVE-2026-7549 once available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual requests to \u003ccode\u003e/ajax.php?action=delete_customer\u003c/code\u003e, to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T05:16:03Z","date_published":"2026-05-01T05:16:03Z","id":"/briefs/2026-05-pharmacy-sqli/","summary":"SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to remote SQL injection via the ID parameter in the /ajax.php?action=delete_customer endpoint, allowing attackers to potentially read, modify, or delete database information.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pharmacy-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7550"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2026-7550"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection via the /ajax.php?action=save_customer endpoint. Disclosed on May 1, 2026, the vulnerability, identified as CVE-2026-7550, allows unauthenticated remote attackers to inject arbitrary SQL commands by manipulating the \u003ccode\u003eID\u003c/code\u003e argument. The vulnerability exists due to insufficient input validation. Public exploit code is available, increasing the risk of exploitation. This vulnerability allows attackers to potentially read, modify, or delete sensitive data within the application\u0026rsquo;s database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the vulnerable endpoint \u003ccode\u003e/ajax.php?action=save_customer\u003c/code\u003e within the Pharmacy Sales and Inventory System 1.0 application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/ajax.php?action=save_customer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003eID\u003c/code\u003e parameter designed to inject SQL commands.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input provided in the \u003ccode\u003eID\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-supplied SQL code against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker can retrieve sensitive information, such as customer details, product information, or administrative credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify existing data, such as prices or inventory levels.\u003c/li\u003e\n\u003cli\u003eThe attacker may gain complete control of the database, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7550) can lead to unauthorized access to sensitive data, data modification, or complete database compromise. This could result in financial losses, reputational damage, and legal repercussions for affected organizations. Given the nature of the application, attackers could potentially access patient data or prescription information, leading to severe privacy breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter in the \u003ccode\u003e/ajax.php?action=save_customer\u003c/code\u003e endpoint to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/ajax.php?action=save_customer\u003c/code\u003e endpoint with unusual \u003ccode\u003eID\u003c/code\u003e parameter values. Deploy the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of the SourceCodester Pharmacy Sales and Inventory System once available.\u003c/li\u003e\n\u003cli\u003eImplement regular database backups to mitigate potential data loss due to successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T05:16:03Z","date_published":"2026-05-01T05:16:03Z","id":"/briefs/2026-05-pharmacy-inventory-sql-injection/","summary":"CVE-2026-7550 is an SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID argument in the /ajax.php?action=save_customer endpoint.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pharmacy-inventory-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7545"}],"_cs_exploited":false,"_cs_products":["Advanced School Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Advanced School Management System version 1.0 is vulnerable to SQL injection in the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint within the \u003ccode\u003ecommonController.php\u003c/code\u003e file. This vulnerability, identified as CVE-2026-7545, allows a remote attacker to inject arbitrary SQL commands. Publicly available exploits targeting this vulnerability increase the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion within the application\u0026rsquo;s database. Given the availability of public exploits, organizations using this software are at an elevated risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint in \u003ccode\u003ecommonController.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint, injecting SQL code into the email parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly sanitize the email input.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is passed directly to the database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may then read sensitive data, modify existing data, or insert new malicious data.\u003c/li\u003e\n\u003cli\u003eThe attacker might also use this to escalate privileges within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7545) could allow an attacker to read, modify, or delete sensitive data stored in the Advanced School Management System database. This could include student records, financial information, or administrative credentials. The availability of public exploits increases the likelihood of attacks targeting this vulnerability, potentially impacting any organization using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint in \u003ccode\u003ecommonController.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ASMS CheckEmail SQL Injection Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003echeckEmail\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:16:49Z","date_published":"2026-05-01T02:16:49Z","id":"/briefs/2026-05-asms-sqli/","summary":"A SQL injection vulnerability (CVE-2026-7545) exists in SourceCodester Advanced School Management System 1.0 within the checkEmail endpoint of commonController.php, allowing remote attackers to potentially execute arbitrary SQL commands.","title":"SourceCodester Advanced School Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-asms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7519"}],"_cs_exploited":false,"_cs_products":["LiveBOS (\u003c= 2.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7519"],"_cs_type":"advisory","_cs_vendors":["Fujian Apex"],"content_html":"\u003cp\u003eFujian Apex LiveBOS, a live broadcasting system, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7519, exists due to insufficient input validation on the filename parameter within the /feed/UploadImage.do endpoint. Versions up to and including 2.0 are affected. Publicly available exploits exist, increasing the risk of exploitation. An attacker can leverage this flaw to access sensitive files on the server, potentially leading to information disclosure or further system compromise. Upgrading to version 2.1 or applying available patches is strongly recommended.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fujian Apex LiveBOS instance running version 2.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the /feed/UploadImage.do endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the filename parameter within the request, injecting path traversal sequences (e.g., ../../).\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize the filename, allowing the path traversal sequence to be processed.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked file content for sensitive information (e.g., credentials, configuration files).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive files on the LiveBOS server. This could include configuration files containing database credentials, private keys, or other confidential information. The impact ranges from information disclosure to potential full system compromise, depending on the accessed data. There are no reported victims or sectors targeted as of yet, but the public availability of the exploit increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fujian Apex LiveBOS to version 2.1 to remediate CVE-2026-7519.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LiveBOS Path Traversal Attempt\u003c/code\u003e to identify malicious requests exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing path traversal sequences targeting the \u003ccode\u003e/feed/UploadImage.do\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T01:16:38Z","date_published":"2026-05-01T01:16:38Z","id":"/briefs/2026-05-livebos-path-traversal/","summary":"A path traversal vulnerability exists in Fujian Apex LiveBOS version 2.0 and earlier, allowing remote attackers to read arbitrary files by manipulating the filename argument in the /feed/UploadImage.do endpoint.","title":"Fujian Apex LiveBOS Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-livebos-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7435"}],"_cs_exploited":false,"_cs_products":["SSCMS 7.4.0"],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2026-7435","web-application"],"_cs_type":"advisory","_cs_vendors":["siteserver"],"content_html":"\u003cp\u003eSSCMS v7.4.0 is susceptible to a SQL injection vulnerability (CVE-2026-7435) within the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag. The vulnerability arises because the \u003ccode\u003equeryString\u003c/code\u003e attribute is passed directly to database execution without adequate sanitization or parameterization. This flaw enables attackers to inject malicious SQL code by crafting encrypted payloads and submitting them to the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint. Successful exploitation can lead to unauthorized access to the database, disclosure of sensitive information, authentication bypass, modification of data, or even complete compromise of the database. This vulnerability poses a significant risk to organizations using the affected SSCMS version, potentially leading to severe data breaches and system disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an SSCMS v7.4.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload, specifically targeting the \u003ccode\u003equeryString\u003c/code\u003e attribute within the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts the crafted SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the encrypted payload to the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint using an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe SSCMS application receives the request and processes the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the database, potentially extracting sensitive data or modifying existing records.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges or move laterally within the compromised system, depending on the level of access gained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to severe consequences. An attacker could gain complete control over the SSCMS database, potentially exposing sensitive user data, confidential business information, or proprietary intellectual property. Data breaches resulting from this vulnerability could lead to significant financial losses, reputational damage, and legal liabilities. The lack of specifics about victim count or sectors targeted makes quantification difficult, but the potential impact is high for any organization using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for SSCMS v7.4.0 to address the SQL injection vulnerability described in CVE-2026-7435.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks, specifically focusing on the \u003ccode\u003equeryString\u003c/code\u003e attribute of the \u003ccode\u003estl:sqlContent\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SSCMS stl:sqlContent Requests\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003e/api/stl/actions/dynamic\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:16:34Z","date_published":"2026-04-30T21:16:34Z","id":"/briefs/2026-04-sscms-sqli/","summary":"SSCMS v7.4.0 is vulnerable to SQL injection via the stl:sqlContent tag's queryString attribute, allowing attackers to execute arbitrary SQL statements through crafted payloads submitted to the /api/stl/actions/dynamic endpoint.","title":"SSCMS v7.4.0 SQL Injection Vulnerability in stl:sqlContent Tag","url":"https://feed.craftedsignal.io/briefs/2026-04-sscms-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003c= 4.8.0)","cms (\u003e= 5.0.0, \u003c= 5.3.3)","Kirby Panel","Kirby REST API"],"_cs_severities":["high"],"_cs_tags":["authorization","cms","web-application"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eKirby CMS versions prior to 4.9.0 and between 5.0.0 and 5.3.3 are vulnerable to a missing authorization flaw. This vulnerability impacts Kirby sites where user roles are intentionally configured with restricted access to pages or files through disabled \u003ccode\u003epages.access\u003c/code\u003e, \u003ccode\u003epages.list\u003c/code\u003e, \u003ccode\u003efiles.access\u003c/code\u003e, or \u003ccode\u003efiles.list\u003c/code\u003e permissions. The issue stems from inconsistent permission checks within the Kirby Panel and REST API, allowing authenticated users to access resources they should not be able to. Updating to versions 4.9.0, 5.4.0, or later resolves this vulnerability by implementing consistent permission checks. The vulnerability is identified as CVE-2026-42137.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Kirby CMS Panel or REST API.\u003c/li\u003e\n\u003cli\u003eThe user attempts to access a page or file for which their role lacks the necessary \u003ccode\u003epages.access\u003c/code\u003e/\u003ccode\u003efiles.access\u003c/code\u003e or \u003ccode\u003epages.list\u003c/code\u003e/\u003ccode\u003efiles.list\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eDue to inconsistent permission checks, the user can view the page or file details via the \u0026ldquo;changes\u0026rdquo; dialog in the Panel, even if listing is disabled.\u003c/li\u003e\n\u003cli\u003eThe user accesses the REST API, which, despite direct access checks, fails to properly filter collections or related models (children, drafts, files, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker views images associated with restricted site, pages, or user resources in lists within the Panel.\u003c/li\u003e\n\u003cli\u003eThe user exploits the incorrect permission check (using \u003ccode\u003epages.access\u003c/code\u003e instead of \u003ccode\u003epages.list\u003c/code\u003e or \u003ccode\u003efiles.access\u003c/code\u003e instead of \u003ccode\u003efiles.list\u003c/code\u003e in specific API routes).\u003c/li\u003e\n\u003cli\u003eThe user traverses to previous or next files using direct links in the files view, even if those files should not be listable.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or modifies content due to the bypassed permission checks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows authenticated users to bypass intended access restrictions within Kirby CMS, leading to potential unauthorized access to sensitive information and/or unauthorized content modification. The inconsistent permission checks in the Panel and REST API could result in unintended disclosure of data restricted by role-based access controls. Successful exploitation could compromise the confidentiality and integrity of the affected Kirby CMS instance. While the advisory does not list the number of victims, this flaw impacts any Kirby site with restricted roles.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 (or later) to patch the vulnerability as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eReview user role permissions and blueprint configurations to ensure appropriate access controls are in place after patching, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests to resources that should be restricted, using the rules below, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate potential brute-force attacks attempting to exploit this or other vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:03:20Z","date_published":"2026-04-30T21:03:20Z","id":"/briefs/2026-04-kirby-auth-bypass/","summary":"A missing authorization vulnerability in Kirby CMS allows authenticated users to bypass intended access restrictions on pages and files, potentially leading to unauthorized information disclosure and content modification; patched in versions 4.9.0 and 5.4.0.","title":"Kirby CMS Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7468"}],"_cs_exploited":false,"_cs_products":["smart-admin"],"_cs_severities":["medium"],"_cs_tags":["access-control","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["1024-lab"],"content_html":"\u003cp\u003eA security vulnerability, CVE-2026-7468, has been identified in 1024-lab smart-admin, specifically in versions up to 3.30.0. This flaw resides within an unspecified function of the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e file, a component of the Demo Site. The vulnerability stems from improper access controls, which could allow unauthorized remote access. The public disclosure of an exploit increases the risk of exploitation. While the 1024-lab project was notified through an issue report, a response or patch has not yet been released, making systems running vulnerable versions susceptible to attack. This vulnerability allows for potential compromise of the application and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of 1024-lab smart-admin running a version up to 3.30.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request exploits the improper access control vulnerability to bypass authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly processes the request, granting the attacker unintended access to restricted resources or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this unauthorized access to read sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker further exploits the vulnerability to modify data or application configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised application to pivot to other systems or data within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7468 allows attackers to gain unauthorized access to sensitive data and functionality within the 1024-lab smart-admin application. The impact could range from information disclosure to complete system compromise, depending on the specific function affected and the attacker\u0026rsquo;s objectives. As the vulnerability resides in a \u0026lsquo;Demo Site\u0026rsquo; component, the impact is likely to be proof-of-concept or low, but could be more significant if the application is in production.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e endpoint to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates released by 1024-lab to address CVE-2026-7468.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T01:16:03Z","date_published":"2026-04-30T01:16:03Z","id":"/briefs/2026-04-smart-admin-access-control/","summary":"CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.","title":"1024-lab smart-admin Improper Access Control Vulnerability (CVE-2026-7468)","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-admin-access-control/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","signature-bypass","authentication","authorization","web-application"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eAdmidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The \u003ccode\u003evalidateSignature()\u003c/code\u003e method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, \u003ccode\u003ehandleSSORequest()\u003c/code\u003e and \u003ccode\u003ehandleSLORequest()\u003c/code\u003e, incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to \u003ccode\u003emodules/sso/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereceiveMessage()\u003c/code\u003e function parses the SAML binding directly from the HTTP request, requiring no prior authentication.\u003c/li\u003e\n\u003cli\u003eThe Entity ID is extracted from the forged request\u0026rsquo;s Issuer element, and the corresponding client configuration is loaded.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateSignature()\u003c/code\u003e function is called, but its return value (indicating signature validity) is discarded.\u003c/li\u003e\n\u003cli\u003eFor AuthnRequests, if the targeted user has an active session (\u003ccode\u003e$gValidLogin\u003c/code\u003e is true), the login form is skipped.\u003c/li\u003e\n\u003cli\u003eAdmidio builds a SAML Response containing the user\u0026rsquo;s attributes (login, name, email, roles) and sends it to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor LogoutRequests, the user\u0026rsquo;s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user\u0026rsquo;s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix in the Admidio codebase to check the return value of \u003ccode\u003evalidateSignature()\u003c/code\u003e and throw an exception on failure, as outlined in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-25cw-98hg-g3cg)\"\u003ehttps://github.com/advisories/GHSA-25cw-98hg-g3cg)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML AuthnRequest Detection\u0026rdquo; to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML LogoutRequest Detection\u0026rdquo; to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/adm_program/modules/sso/index.php/saml/sso\u003c/code\u003e and \u003ccode\u003e/adm_program/modules/sso/index.php/saml/slo\u003c/code\u003e without proper signature validation to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Admidio to address CVE-2026-41669.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:56:13Z","date_published":"2026-04-29T21:56:13Z","id":"/briefs/2026-04-admidio-saml-bypass/","summary":"Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.","title":"Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests","url":"https://feed.craftedsignal.io/briefs/2026-04-admidio-saml-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7404"}],"_cs_exploited":false,"_cs_products":["mcpo-simple-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7404"],"_cs_type":"advisory","_cs_vendors":["getsimpletool"],"content_html":"\u003cp\u003eA relative path traversal vulnerability, identified as CVE-2026-7404, has been discovered in getsimpletool mcpo-simple-server up to version 0.2.0. The vulnerability resides within the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function of the \u003ccode\u003esrc/mcpo_simple_server/services/prompt_manager/base_manager.py\u003c/code\u003e file. By manipulating the \u003ccode\u003edetail\u003c/code\u003e argument, a remote attacker can traverse the file system and delete arbitrary files. The vulnerability is remotely exploitable, and proof-of-concept exploit code is publicly available. The maintainers of the getsimpletool project have been notified of this vulnerability but have not yet responded. This poses a significant risk to systems running mcpo-simple-server, as it could lead to unauthorized file deletion and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable mcpo-simple-server instance running version 0.2.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003edetail\u003c/code\u003e argument containing relative path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and passes the manipulated \u003ccode\u003edetail\u003c/code\u003e argument to the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function uses the attacker-controlled \u003ccode\u003edetail\u003c/code\u003e argument to construct a file path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the resulting file path points to a location outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file at the attacker-specified location.\u003c/li\u003e\n\u003cli\u003eIf permissions allow, the file is successfully deleted, leading to potential data loss or system instability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the affected system. This can lead to data loss, application malfunction, or even complete system compromise, depending on the files targeted for deletion. Given the public availability of exploit code, systems running vulnerable versions of mcpo-simple-server are at immediate risk. The impact is especially severe if the targeted files are critical system files or application data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade mcpo-simple-server to a patched version that addresses CVE-2026-7404, if available from the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mcpo-Simple-Server Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the \u003ccode\u003edetail\u003c/code\u003e argument of the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function, if patching is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eRestrict file system permissions to limit the impact of successful path traversal attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:16:22Z","date_published":"2026-04-29T21:16:22Z","id":"/briefs/2026-04-mcpo-simple-server-traversal/","summary":"A relative path traversal vulnerability exists in getsimpletool mcpo-simple-server \u003c= 0.2.0, allowing remote attackers to delete arbitrary files via manipulation of the `detail` argument in the `delete_shared_prompt` function.","title":"Relative Path Traversal Vulnerability in mcpo-simple-server","url":"https://feed.craftedsignal.io/briefs/2026-04-mcpo-simple-server-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2018-25300"}],"_cs_exploited":false,"_cs_products":["xataboost cms 1.0.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["xataboost"],"content_html":"\u003cp\u003eXATABoost CMS 1.0.0 is susceptible to a union-based SQL injection vulnerability (CVE-2018-25300). This flaw enables unauthenticated attackers to inject malicious SQL code through the \u003ccode\u003eid\u003c/code\u003e parameter in \u003ccode\u003enews.php\u003c/code\u003e via GET requests. By crafting specific payloads, attackers can manipulate database queries to extract sensitive information. This vulnerability poses a significant risk, as it could lead to data breaches, account compromise, and further exploitation of the affected system. The targeted exploitation vector is the \u003ccode\u003enews.php\u003c/code\u003e file, making it a critical area for monitoring and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003enews.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the \u003ccode\u003eid\u003c/code\u003e parameter within \u003ccode\u003enews.php\u003c/code\u003e. This payload contains SQL injection code.\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize the \u003ccode\u003eid\u003c/code\u003e parameter before constructing the SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses UNION clauses to extract sensitive information from other database tables.\u003c/li\u003e\n\u003cli\u003eThe extracted data is returned as part of the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to retrieve the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for further malicious activities (e.g., privilege escalation, lateral movement).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can result in the unauthorized disclosure of sensitive information stored in the XATABoost CMS database. This includes user credentials, financial data, or other confidential information. The impact could range from a single compromised system to a full-scale data breach, depending on the scope and sensitivity of the data stored within the database. Without further context on affected deployments, the number of potential victims is hard to quantify, but any public-facing XATABoost CMS 1.0.0 instance is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect XATABoost CMS SQL Injection Attempt\u003c/code\u003e to identify malicious GET requests targeting the \u003ccode\u003enews.php\u003c/code\u003e endpoint and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eid\u003c/code\u003e parameter in the \u003ccode\u003enews.php\u003c/code\u003e file to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of XATABoost CMS or implement a web application firewall (WAF) rule to mitigate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to \u003ccode\u003enews.php\u003c/code\u003e and unusual SQL queries.\u003c/li\u003e\n\u003cli\u003eReview and restrict database user permissions to minimize the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:25Z","date_published":"2026-04-29T20:16:25Z","id":"/briefs/2026-04-xataboost-sql-injection/","summary":"XATABoost CMS 1.0.0 is vulnerable to union-based SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter via GET requests to news.php, enabling extraction of sensitive database information.","title":"XATABoost CMS 1.0.0 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xataboost-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7386"}],"_cs_exploited":false,"_cs_products":["mail-mcp-bridge"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["fatbobman"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7386, has been discovered in fatbobman mail-mcp-bridge version 1.3.3 and prior. The vulnerability resides within the \u003ccode\u003esrc/mail_mcp_server.py\u003c/code\u003e file, specifically affecting an unspecified function that handles the \u003ccode\u003emessage_ids\u003c/code\u003e argument. A remote attacker can exploit this flaw by crafting malicious requests containing manipulated \u003ccode\u003emessage_ids\u003c/code\u003e values. Successful exploitation allows the attacker to traverse the file system and potentially read sensitive files. An exploit is publicly available. The vulnerability is addressed in version 1.3.4, with patch \u003ccode\u003e638b162b26532e32fa8d8047f638537dbdfe197a\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of mail-mcp-bridge running version 1.3.3 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the endpoint that processes \u003ccode\u003emessage_ids\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes a \u003ccode\u003emessage_ids\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application, without proper validation, processes the manipulated \u003ccode\u003emessage_ids\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access a file path constructed using the attacker-controlled input.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the application accesses a file outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application reads the contents of the traversed file.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the file, gaining access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the exposure of sensitive data such as configuration files, application source code, or user data. With a CVSS v3.1 base score of 7.3, this vulnerability poses a significant risk. The number of affected installations is unknown, but any instance of mail-mcp-bridge running a vulnerable version is susceptible to attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade fatbobman mail-mcp-bridge to version 1.3.4 or later to apply the patch \u003ccode\u003e638b162b26532e32fa8d8047f638537dbdfe197a\u003c/code\u003e that resolves CVE-2026-7386.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect mail-mcp-bridge Path Traversal Attempt\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003emessage_ids\u003c/code\u003e parameter to prevent path traversal attacks in web applications, even after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:29Z","date_published":"2026-04-29T16:16:29Z","id":"/briefs/2026-04-mail-mcp-bridge-path-traversal/","summary":"A path traversal vulnerability exists in fatbobman mail-mcp-bridge version 1.3.3 and earlier, allowing a remote attacker to read arbitrary files by manipulating the message_ids argument in the src/mail_mcp_server.py file.","title":"Path Traversal Vulnerability in mail-mcp-bridge","url":"https://feed.craftedsignal.io/briefs/2026-04-mail-mcp-bridge-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7389"}],"_cs_exploited":false,"_cs_products":["EyouCMS (\u003c= 1.7.9)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7389","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security vulnerability, CVE-2026-7389, has been identified in EyouCMS, specifically affecting versions up to 1.7.9. This vulnerability stems from insufficient sanitization of user-supplied input passed to the \u003ccode\u003esort_asc\u003c/code\u003e argument of the \u003ccode\u003eGetSortData\u003c/code\u003e function located in the \u003ccode\u003eapplication/common.php\u003c/code\u003e file. An unauthenticated, remote attacker can exploit this vulnerability to inject malicious SQL queries into the application. Publicly available exploits increase the risk of widespread exploitation. The project maintainers were notified but have not yet addressed the issue, making timely detection and mitigation critical for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an EyouCMS instance running a vulnerable version (\u0026lt;= 1.7.9).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eGetSortData\u003c/code\u003e function within \u003ccode\u003eapplication/common.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003esort_asc\u003c/code\u003e argument containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without proper sanitization of the \u003ccode\u003esort_asc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is incorporated into a SQL query executed by the application.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code modifies the query logic, allowing the attacker to potentially bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker can read sensitive data from the database, such as user credentials or configuration information.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges or gain complete control of the database server, leading to data exfiltration or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7389) could allow an attacker to read, modify, or delete sensitive data stored in the EyouCMS database. This could include user credentials, financial information, or other confidential data. Since an exploit is publicly available, organizations using vulnerable versions of EyouCMS are at increased risk of compromise, potentially leading to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect EyouCMS SQL Injection via sort_asc Parameter\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for suspicious requests targeting \u003ccode\u003eapplication/common.php\u003c/code\u003e with unusual parameters in the \u003ccode\u003esort_asc\u003c/code\u003e argument based on the Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003esort_asc\u003c/code\u003e parameter in the \u003ccode\u003eGetSortData\u003c/code\u003e function to prevent SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:29Z","date_published":"2026-04-29T16:16:29Z","id":"/briefs/2026-04-eyoucms-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-7389) exists in EyouCMS versions up to 1.7.9 due to improper handling of the 'sort_asc' argument in the GetSortData function, potentially allowing attackers to execute arbitrary SQL commands.","title":"EyouCMS SQL Injection Vulnerability (CVE-2026-7389)","url":"https://feed.craftedsignal.io/briefs/2026-04-eyoucms-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7315"}],"_cs_exploited":false,"_cs_products":["spire-pdf-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["eiceblue"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7315, affects eiceblue spire-pdf-mcp-server version 0.1.1. The vulnerability resides in the \u003ccode\u003eget_pdf_path\u003c/code\u003e function within the \u003ccode\u003esrc/spire_pdf_mcp/server.py\u003c/code\u003e file. By manipulating the \u003ccode\u003efilepath\u003c/code\u003e argument, a remote attacker can bypass directory traversal restrictions and potentially access sensitive files on the server. Public exploits are available, increasing the risk of exploitation. The vendor has been notified but has not yet provided a patch or response. This vulnerability poses a significant risk to systems running the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of eiceblue spire-pdf-mcp-server 0.1.1 exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eget_pdf_path\u003c/code\u003e function, embedding a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) within the \u003ccode\u003efilepath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and processes the \u003ccode\u003efilepath\u003c/code\u003e argument without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_pdf_path\u003c/code\u003e function constructs a file path using the attacker-controlled input, allowing the traversal of directories outside the intended PDF file storage location.\u003c/li\u003e\n\u003cli\u003eThe server attempts to access a file outside the intended directory, based on the manipulated path.\u003c/li\u003e\n\u003cli\u003eIf successful, the server reads the contents of the arbitrary file.\u003c/li\u003e\n\u003cli\u003eThe server returns the contents of the file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, potentially including configuration files, credentials, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7315 allows a remote attacker to read arbitrary files on the server. This can lead to the disclosure of sensitive information, such as configuration files, credentials, or internal application code. The impact could include complete compromise of the affected system and potential lateral movement within the network. Given the availability of public exploits, the risk of widespread exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Spire-PDF Path Traversal Attempt\u003c/code\u003e to identify malicious requests containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests targeting the \u003ccode\u003eget_pdf_path\u003c/code\u003e function with suspicious \u003ccode\u003efilepath\u003c/code\u003e parameters (e.g., containing \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures for the \u003ccode\u003efilepath\u003c/code\u003e argument in the \u003ccode\u003eget_pdf_path\u003c/code\u003e function to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from the vendor as soon as they are released to address CVE-2026-7315.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spire-pdf-path-traversal/","summary":"A path traversal vulnerability exists in eiceblue spire-pdf-mcp-server version 0.1.1, allowing remote attackers to access arbitrary files via manipulation of the filepath argument in the get_pdf_path function.","title":"Eiceblue Spire-PDF-MCP-Server Path Traversal Vulnerability (CVE-2026-7315)","url":"https://feed.craftedsignal.io/briefs/2026-04-spire-pdf-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7314"}],"_cs_exploited":false,"_cs_products":["spire-doc-mcp-server 1.0.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7314"],"_cs_type":"advisory","_cs_vendors":["eiceblue"],"content_html":"\u003cp\u003eA critical path traversal vulnerability has been identified in eiceblue spire-doc-mcp-server version 1.0.0. The vulnerability resides within the \u003ccode\u003eget_doc_path\u003c/code\u003e function of the \u003ccode\u003esrc/spire_doc_mcp/api/base.py\u003c/code\u003e file. By manipulating the \u003ccode\u003edocument_name\u003c/code\u003e argument, an attacker can bypass intended directory restrictions and access files outside the designated document path. This attack can be initiated remotely without authentication, posing a significant risk. Public exploits are available, increasing the likelihood of exploitation. The vendor was notified through an issue report, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the spire-doc-mcp-server.\u003c/li\u003e\n\u003cli\u003eThe request targets an endpoint that utilizes the vulnerable \u003ccode\u003eget_doc_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003edocument_name\u003c/code\u003e parameter within the request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edocument_name\u003c/code\u003e parameter contains a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) designed to escape the intended directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_doc_path\u003c/code\u003e function fails to properly sanitize or validate the \u003ccode\u003edocument_name\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path based on the malicious input.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read the file at the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of an arbitrary file on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an attacker to read sensitive files on the server. This could include configuration files containing credentials, source code, or other confidential data. The CVSS v3.1 score of 7.3 reflects the high severity of this issue. The lack of vendor response and availability of public exploits significantly increases the risk to organizations using vulnerable versions of spire-doc-mcp-server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Spire-doc-mcp-server Path Traversal Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts by monitoring web server logs for path traversal sequences.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003edocument_name\u003c/code\u003e argument in the \u003ccode\u003eget_doc_path\u003c/code\u003e function within \u003ccode\u003esrc/spire_doc_mcp/api/base.py\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (e.g., \u0026ldquo;..%2F\u0026rdquo;, \u0026ldquo;../\u0026rdquo;) targeting endpoints related to document retrieval.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spire-doc-mcp-server-path-traversal/","summary":"A path traversal vulnerability exists in eiceblue spire-doc-mcp-server version 1.0.0, allowing a remote attacker to access arbitrary files by manipulating the 'document_name' argument in the 'get_doc_path' function.","title":"eiceblue spire-doc-mcp-server Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-spire-doc-mcp-server-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7319"}],"_cs_exploited":true,"_cs_products":["execution-system-mcp 0.1.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7319"],"_cs_type":"threat","_cs_vendors":["elinsky"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7319, affects elinsky execution-system-mcp version 0.1.0. The vulnerability resides in the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function located within the \u003ccode\u003esrc/execution_system_mcp/server.py\u003c/code\u003e file, which is part of the \u003ccode\u003eadd_action\u003c/code\u003e Tool component. By manipulating the \u003ccode\u003econtext\u003c/code\u003e argument, a remote attacker can bypass directory restrictions and access unauthorized files. The existence of a published exploit increases the risk of this vulnerability being actively exploited. Defenders should prioritize patching and implementing mitigations to prevent potential data breaches or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of elinsky execution-system-mcp 0.1.0 running remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eadd_action\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) into the \u003ccode\u003econtext\u003c/code\u003e argument of the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_get_context_file_path\u003c/code\u003e function processes the tainted input without proper sanitization, allowing the path traversal sequence to resolve to a file outside of the intended directory.\u003c/li\u003e\n\u003cli\u003eThe server attempts to read the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eSensitive information from the targeted file is read by the server.\u003c/li\u003e\n\u003cli\u003eThe server returns the content of the file, or an error message indicating the file content, to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information, potentially leading to further exploitation, such as privilege escalation or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the disclosure of sensitive information, such as configuration files, source code, or user data. The CVSS v3.1 score of 7.3 indicates a high severity, highlighting the potential for significant impact. The lack of specifics regarding victim count and sectors targeted in the source information makes it difficult to quantify the precise scale of potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for elinsky execution-system-mcp to address CVE-2026-7319.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks within the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts by monitoring for suspicious path traversal sequences in HTTP requests to the \u003ccode\u003eadd_action\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing path traversal sequences such as \u0026ldquo;../\u0026rdquo; and ensure proper logging of access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T10:00:00Z","date_published":"2026-04-29T10:00:00Z","id":"/briefs/2026-04-elinsky-path-traversal/","summary":"Elinsky execution-system-mcp 0.1.0 is vulnerable to path traversal via manipulation of the context argument in the _get_context_file_path function, allowing remote attackers to access sensitive files.","title":"Elinsky execution-system-mcp Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-elinsky-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7130"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-7130"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides within the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint, where a manipulation of the \u003ccode\u003eID\u003c/code\u003e argument can lead to arbitrary SQL command execution. This allows remote attackers to potentially bypass authentication, access sensitive data, modify database contents, or even compromise the entire system. Given the availability of a published exploit, this vulnerability poses a significant risk to organizations utilizing the affected software. Successful exploitation requires no authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of SourceCodester Pharmacy Sales and Inventory System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eID\u003c/code\u003e parameter of the request.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL code to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eDepending on the injected SQL, the attacker can read sensitive data from the database (e.g., user credentials, financial records).\u003c/li\u003e\n\u003cli\u003eThe attacker could also modify data, such as altering inventory levels or creating unauthorized accounts.\u003c/li\u003e\n\u003cli\u003eUltimately, the attacker could gain full control of the database and the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive patient data, financial records, and other confidential information stored within the Pharmacy Sales and Inventory System database. Attackers could potentially modify data, leading to incorrect inventory levels, fraudulent transactions, or even complete system compromise. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. Given that the exploit is public, organizations using this software are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter within the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint to prevent SQL injection (reference CVE-2026-7130).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious requests to the \u003ccode\u003e/ajax.php?action=delete_category\u003c/code\u003e endpoint containing potential SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eImplement regular security audits and penetration testing to identify and remediate vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eRestrict database access privileges to the minimum necessary for each user and application to limit the potential impact of a successful SQL injection attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-pharmacy-sqli/","summary":"A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID parameter in the /ajax.php?action=delete_category endpoint, potentially leading to unauthorized data access or modification.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pharmacy-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7177"}],"_cs_exploited":false,"_cs_products":["NextChat"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-7177","web-application"],"_cs_type":"advisory","_cs_vendors":["ChatGPTNextWeb"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability, identified as CVE-2026-7177, affects ChatGPTNextWeb NextChat up to version 2.16.1. The vulnerability resides within the \u003ccode\u003eproxyHandler\u003c/code\u003e function in the \u003ccode\u003eapp/api/[provider]/[...path]/route.ts\u003c/code\u003e file. Publicly available exploits demonstrate that a remote attacker can manipulate this function to make unauthorized requests to internal resources. The project maintainers were notified, but have not yet responded to the issue, increasing the risk of widespread exploitation. This vulnerability allows attackers to potentially access sensitive information or internal services that are not intended to be exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NextChat instance running a vulnerable version (\u0026lt;= 2.16.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eapp/api/[provider]/[...path]/route.ts\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates the \u003ccode\u003eproxyHandler\u003c/code\u003e function parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproxyHandler\u003c/code\u003e function, without proper validation, forwards the manipulated request to an internal server or resource.\u003c/li\u003e\n\u003cli\u003eThe internal server processes the request as if it originated from the NextChat server itself.\u003c/li\u003e\n\u003cli\u003eThe internal server returns the response to the NextChat server.\u003c/li\u003e\n\u003cli\u003eThe NextChat server forwards the response from the internal server back to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to potentially sensitive information or can interact with internal services due to the SSRF vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows attackers to potentially access internal resources, including sensitive data or internal services not intended for public access. While the CVSS score is 7.3 (HIGH), the impact is limited to information disclosure and limited modification/availability of resources. The number of affected instances is currently unknown. If successfully exploited, attackers could potentially use the compromised NextChat instance as a proxy to further compromise the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eproxyHandler\u003c/code\u003e function within \u003ccode\u003eapp/api/[provider]/[...path]/route.ts\u003c/code\u003e to prevent malicious manipulation (Reference: CVE-2026-7177).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests targeting the \u003ccode\u003eapp/api\u003c/code\u003e endpoint with potentially malicious parameters (See example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access from the NextChat server to only necessary internal resources (General security best practice related to SSRF).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect exploitation attempts against NextChat instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-nextchat-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers to manipulate the proxyHandler function, potentially leading to unauthorized internal resource access.","title":"ChatGPTNextWeb NextChat Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nextchat-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7237"}],"_cs_exploited":false,"_cs_products":["scaffold-mcp"],"_cs_severities":["high"],"_cs_tags":["path-traversal","cve","web-application"],"_cs_type":"advisory","_cs_vendors":["AgiFlow"],"content_html":"\u003cp\u003eAgiFlow scaffold-mcp, a software component with unknown functionality, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7237, affects versions up to 1.0.27. The vulnerability resides in the \u003ccode\u003epackages/scaffold-mcp/src/server/index.ts\u003c/code\u003e file, specifically within the \u0026ldquo;write-to-file\u0026rdquo; tool. An attacker can remotely exploit this flaw by manipulating the \u003ccode\u003efile_path\u003c/code\u003e argument, enabling them to write to arbitrary locations on the server. A patch has been released in version 1.1.0 with commit hash \u003ccode\u003ec4d23592ae5fb59cfeefc4641e6826f8ac89b9c6\u003c/code\u003e to address this vulnerability. The exploit is publicly available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AgiFlow scaffold-mcp instance running a vulnerable version (\u0026lt;= 1.0.27).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u0026ldquo;write-to-file\u0026rdquo; tool.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003efile_path\u003c/code\u003e argument containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;, \u0026ldquo;..\\\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request without proper sanitization or validation of the \u003ccode\u003efile_path\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application attempts to write data to the attacker-controlled file path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the data is written to an arbitrary location on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker may overwrite critical system files, inject malicious code, or exfiltrate sensitive data, depending on the write permissions and targeted file location.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to arbitrary code execution, data compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7237 allows attackers to write arbitrary files to the affected system, potentially leading to code execution, data exfiltration, or denial of service. The number of affected installations is currently unknown. Due to the public availability of the exploit, organizations using AgiFlow scaffold-mcp are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AgiFlow scaffold-mcp to version 1.1.0 or later to remediate CVE-2026-7237, applying the patch identified by commit hash \u003ccode\u003ec4d23592ae5fb59cfeefc4641e6826f8ac89b9c6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003efile_path\u003c/code\u003e argument within the \u0026ldquo;write-to-file\u0026rdquo; tool to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AgiFlow Scaffold-mcp Path Traversal Attempt\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences in the URI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T08:16:02Z","date_published":"2026-04-28T08:16:02Z","id":"/briefs/2024-01-agiflow-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-7237) exists in AgiFlow scaffold-mcp versions up to 1.0.27, allowing remote attackers to write to arbitrary files by manipulating the file_path argument in the write-to-file tool.","title":"AgiFlow scaffold-mcp Path Traversal Vulnerability (CVE-2026-7237)","url":"https://feed.craftedsignal.io/briefs/2024-01-agiflow-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7234"}],"_cs_exploited":false,"_cs_products":["browser-operator-core (\u003c= 0.6.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7234"],"_cs_type":"advisory","_cs_vendors":["BrowserOperator"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in BrowserOperator browser-operator-core versions up to 0.6.0. The vulnerability, designated as CVE-2026-7234, resides in the \u003ccode\u003estartsWith\u003c/code\u003e function within the \u003ccode\u003escripts/component_server/server.js\u003c/code\u003e file. By manipulating the \u003ccode\u003erequest.url\u003c/code\u003e argument, an attacker can bypass path restrictions and potentially access sensitive files on the server. The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available. The BrowserOperator project has been notified, but a patch has not yet been released. Successful exploitation could lead to information disclosure and unauthorized access to system resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BrowserOperator browser-operator-core instance running a version prior to 0.6.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ecomponent_server/server.js\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003erequest.url\u003c/code\u003e argument designed to bypass the \u003ccode\u003estartsWith\u003c/code\u003e function\u0026rsquo;s intended path restrictions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estartsWith\u003c/code\u003e function fails to properly sanitize or validate the \u003ccode\u003erequest.url\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-controlled \u003ccode\u003erequest.url\u003c/code\u003e to construct a file path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file based on the constructed path, traversing directories outside of the intended scope.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to read arbitrary files on the server hosting the BrowserOperator browser-operator-core application. This could lead to the disclosure of sensitive information, including configuration files, credentials, or source code. The lack of response from the project maintainers increases the risk of widespread exploitation, especially given the availability of a public exploit.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect webserver logs for HTTP requests containing path traversal patterns in the URL targeting the \u003ccode\u003ecomponent_server/server.js\u003c/code\u003e endpoint to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect BrowserOperator Path Traversal Attempt\u003c/code\u003e to identify suspicious requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns originating from the BrowserOperator application.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint, mitigating the risk of CVE-2026-7234.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T07:16:04Z","date_published":"2026-04-28T07:16:04Z","id":"/briefs/2026-04-browseroperator-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-7234) exists in BrowserOperator browser-operator-core up to version 0.6.0, allowing remote attackers to read arbitrary files by manipulating the request.url argument in the startsWith function of scripts/component_server/server.js.","title":"BrowserOperator Core Path Traversal Vulnerability (CVE-2026-7234)","url":"https://feed.craftedsignal.io/briefs/2026-04-browseroperator-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7212"}],"_cs_exploited":false,"_cs_products":["notes-mcp (\u003c= 0.1.4)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","CVE-2026-7212"],"_cs_type":"advisory","_cs_vendors":["edvardlindelof"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7212, affects edvardlindelof notes-mcp version 0.1.4 and earlier. This flaw resides within the \u003ccode\u003enotes_mcp.py\u003c/code\u003e file, where manipulation of the \u003ccode\u003eroot_dir/path\u003c/code\u003e argument allows unauthorized access to files and directories outside the intended scope. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. The vendor was notified through an issue report but has not yet responded, making timely patching unlikely. Successful exploitation could lead to sensitive data exposure, potentially compromising the entire application and server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of \u003ccode\u003enotes-mcp\u003c/code\u003e running version 0.1.4 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable endpoint in \u003ccode\u003enotes_mcp.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003eroot_dir/path\u003c/code\u003e argument containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize or validate the \u003ccode\u003eroot_dir/path\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-controlled path to access files or directories on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data, such as configuration files, application source code, or user data, by reading arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eIf write access is possible, the attacker may overwrite critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed information to further compromise the system or gain unauthorized access to other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability can lead to unauthorized access to sensitive files and directories on the affected server. This could result in the disclosure of confidential data, such as user credentials, application source code, or internal configuration details. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of potential victims is unknown, but any system running the vulnerable version of \u003ccode\u003enotes-mcp\u003c/code\u003e is at risk. The project\u0026rsquo;s lack of response to the vulnerability report suggests that a patch may not be immediately available, increasing the window of opportunity for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server access logs for suspicious requests containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e in the URI targeting \u003ccode\u003enotes_mcp.py\u003c/code\u003e to identify potential exploitation attempts (see Sigma rule \u003ccode\u003eDetect notes-mcp Path Traversal Attempt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual file access patterns originating from the affected server after potential exploitation.\u003c/li\u003e\n\u003cli\u003eSince a public exploit is available, prioritize patching or mitigating this vulnerability if you are using the affected software, paying close attention to changes in request patterns and ensuring awareness of CVE-2026-7212.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T02:16:08Z","date_published":"2026-04-28T02:16:08Z","id":"/briefs/2026-04-notes-mcp-path-traversal/","summary":"A path traversal vulnerability exists in edvardlindelof notes-mcp up to version 0.1.4, affecting the notes_mcp.py file, allowing a remote attacker to access sensitive files by manipulating the `root_dir/path` argument.","title":"edvardlindelof notes-mcp Path Traversal Vulnerability (CVE-2026-7212)","url":"https://feed.craftedsignal.io/briefs/2026-04-notes-mcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7205"}],"_cs_exploited":false,"_cs_products":["papers-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["duartium"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in duartium papers-mcp-server, specifically version 9ceb3812a6458ba7922ca24a7406f8807bc55598. The vulnerability resides within the \u003ccode\u003esearch_papers\u003c/code\u003e function located in the \u003ccode\u003esrc/main.py\u003c/code\u003e file. By manipulating the \u003ccode\u003etopic\u003c/code\u003e argument, a remote attacker can exploit this flaw to traverse the file system and potentially read sensitive files. This vulnerability, identified as CVE-2026-7205, is remotely exploitable and has a publicly available exploit, increasing the risk of widespread exploitation. The project maintainers were notified, but there has been no response or patch released, making immediate defensive measures critical for organizations using this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003esearch_papers\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects a path traversal payload into the \u003ccode\u003etopic\u003c/code\u003e argument, such as \u0026ldquo;../../etc/passwd\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe server-side application, without proper sanitization, processes the malicious \u003ccode\u003etopic\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read the file specified by the attacker\u0026rsquo;s path traversal payload (e.g., /etc/passwd).\u003c/li\u003e\n\u003cli\u003eThe server responds with the contents of the requested file, effectively leaking sensitive information to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked file for sensitive data, such as usernames, passwords, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows attackers to read arbitrary files on the affected server. This could lead to the disclosure of sensitive configuration files, user credentials, or source code, potentially leading to further compromise, lateral movement within the network, and data breaches. The lack of a patch and the availability of a public exploit increases the likelihood of widespread exploitation and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect exploitation attempts against the \u003ccode\u003esearch_papers\u003c/code\u003e endpoint, focusing on path traversal payloads in the \u003ccode\u003etopic\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003etopic\u003c/code\u003e parameter within the \u003ccode\u003esearch_papers\u003c/code\u003e function to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences like \u0026ldquo;../\u0026rdquo; and \u0026ldquo;./\u0026rdquo; in the URI query to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply rate limiting to the \u003ccode\u003esearch_papers\u003c/code\u003e endpoint to mitigate potential brute-force path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T01:17:16Z","date_published":"2026-04-28T01:17:16Z","id":"/briefs/2026-04-duartium-path-traversal/","summary":"A path traversal vulnerability exists in the `search_papers` function of `src/main.py` in duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598, allowing remote attackers to read arbitrary files by manipulating the `topic` argument, with a public exploit available.","title":"Duartium papers-mcp-server Path Traversal Vulnerability (CVE-2026-7205)","url":"https://feed.craftedsignal.io/briefs/2026-04-duartium-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7206"}],"_cs_exploited":true,"_cs_products":["sqlite-mcp"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7206","web-application"],"_cs_type":"threat","_cs_vendors":["dubydu"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-7206, has been discovered in dubydu\u0026rsquo;s sqlite-mcp software, affecting versions up to 0.1.0. The vulnerability resides within the \u003ccode\u003eextract_to_json\u003c/code\u003e function located in the \u003ccode\u003esrc/entry.py\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003eoutput_filename\u003c/code\u003e argument, leading to the execution of arbitrary SQL commands. This vulnerability is remotely exploitable, meaning an attacker does not need local access to the system. A proof-of-concept exploit is publicly available, increasing the risk of active exploitation. Applying patch \u003ccode\u003ea5580cb992f4f6c308c9ffe6442b2e76709db548\u003c/code\u003e is the recommended remediation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of dubydu sqlite-mcp running a version prior to the patched version.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eextract_to_json\u003c/code\u003e function in \u003ccode\u003esrc/entry.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eoutput_filename\u003c/code\u003e argument of the request.\u003c/li\u003e\n\u003cli\u003eThe application processes the attacker-supplied \u003ccode\u003eoutput_filename\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed directly to the underlying SQLite database engine.\u003c/li\u003e\n\u003cli\u003eThe SQLite database executes the injected SQL commands, potentially allowing the attacker to read sensitive data, modify data, or execute system commands, depending on the application\u0026rsquo;s privileges and database configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the results of the injected SQL query, such as extracted data or confirmation of successful command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised database to achieve further objectives, such as data exfiltration or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7206) can allow an attacker to execute arbitrary SQL queries against the underlying SQLite database. This could lead to the disclosure of sensitive information, modification of data, or even complete compromise of the application and the system it resides on. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. Given the public availability of an exploit, affected systems are at an elevated risk of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch \u003ccode\u003ea5580cb992f4f6c308c9ffe6442b2e76709db548\u003c/code\u003e to remediate CVE-2026-7206.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks, focusing on the \u003ccode\u003eoutput_filename\u003c/code\u003e parameter of the \u003ccode\u003eextract_to_json\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003eextract_to_json\u003c/code\u003e function using the Sigma rule \u003ccode\u003eDetect Suspicious sqlite-mcp Requests\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T01:16:02Z","date_published":"2026-04-28T01:16:02Z","id":"/briefs/2026-04-sqlite-injection/","summary":"A SQL injection vulnerability exists in dubydu sqlite-mcp version 0.1.0 and earlier within the extract_to_json function allowing remote exploitation through manipulation of the output_filename argument.","title":"dubydu sqlite-mcp SQL Injection Vulnerability (CVE-2026-7206)","url":"https://feed.craftedsignal.io/briefs/2026-04-sqlite-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7199"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7199","web-application"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. This vulnerability, assigned CVE-2026-7199, affects the \u003ccode\u003e/ajax.php?action=delete_product\u003c/code\u003e endpoint. Attackers can remotely exploit this vulnerability by manipulating the \u003ccode\u003eID\u003c/code\u003e parameter. The vulnerability was published on April 27, 2026, and the exploit is now publicly available. Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Due to the ease of exploitation and the sensitive nature of pharmacy data, this vulnerability poses a significant risk to organizations using the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/ajax.php?action=delete_product\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eID\u003c/code\u003e parameter of the request.\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize the input, passing the malicious SQL code to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially allowing the attacker to bypass authentication, access sensitive data, modify database records, or execute system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data, such as patient information, prescription details, or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges within the application and the underlying system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate the compromised data or maintain persistent access to the system for future attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to a complete compromise of the Pharmacy Sales and Inventory System. This can result in the theft of sensitive patient data, financial records, and other confidential information. The vulnerability allows attackers to potentially modify or delete critical data, leading to disruption of pharmacy operations, financial losses, and regulatory penalties. As the exploit is publicly available, the likelihood of widespread exploitation is high, impacting any organization using the vulnerable version of the software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetecting SQL Injection Attempts via URI\u003c/code\u003e to identify potential exploitation attempts against the \u003ccode\u003e/ajax.php?action=delete_product\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/ajax.php?action=delete_product\u003c/code\u003e containing suspicious characters or SQL keywords in the \u003ccode\u003eID\u003c/code\u003e parameter, as detected by the \u003ccode\u003eDetecting SQL Injection in Pharmacy System\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection vulnerabilities in the SourceCodester Pharmacy Sales and Inventory System, mitigating the underlying issue.\u003c/li\u003e\n\u003cli\u003eRestrict access to the database server and sensitive data to only authorized personnel, reducing the potential impact of a successful SQL injection attack.\u003c/li\u003e\n\u003cli\u003eMonitor database logs for suspicious activity, such as unauthorized data access or modification, which may indicate successful exploitation of CVE-2026-7199.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:16:26Z","date_published":"2026-04-28T00:16:26Z","id":"/briefs/2026-04-pharmacy-inventory-sqli/","summary":"A SQL injection vulnerability (CVE-2026-7199) exists in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'ID' parameter in the `/ajax.php?action=delete_product` endpoint, potentially leading to data breach or system compromise.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability (CVE-2026-7199)","url":"https://feed.craftedsignal.io/briefs/2026-04-pharmacy-inventory-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7131"}],"_cs_exploited":false,"_cs_products":["Online Lot Reservation System"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-7131, has been discovered in code-projects Online Lot Reservation System version 1.0 and earlier. This vulnerability is located in the \u003ccode\u003e/loginuser.php\u003c/code\u003e file and can be exploited by manipulating the \u003ccode\u003eemail\u003c/code\u003e and \u003ccode\u003epassword\u003c/code\u003e arguments. Successful exploitation could allow a remote attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is remotely exploitable and a public exploit is available, increasing the risk of exploitation. Due to the sensitive nature of lot reservation data, organizations using this system are at risk of significant data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of code-projects Online Lot Reservation System version 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/loginuser.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects SQL code into the \u003ccode\u003eemail\u003c/code\u003e or \u003ccode\u003epassword\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL code to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, treating it as a legitimate query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the database, potentially reading sensitive information such as user credentials, reservation details, or financial data.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database, disrupting the system\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially use the compromised database to pivot to other systems or escalate privileges within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7131 can result in unauthorized access to sensitive data within the Online Lot Reservation System. This could include user credentials, reservation details, and financial information. The vulnerability affects systems running code-projects Online Lot Reservation System up to version 1.0. Due to the availability of a public exploit, the risk of exploitation is elevated. A successful attack could lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to prevent SQL injection attacks within the \u003ccode\u003e/loginuser.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempt via Login\u003c/code\u003e to identify potential exploitation attempts against the \u003ccode\u003e/loginuser.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/loginuser.php\u003c/code\u003e file, specifically looking for SQL syntax within the \u003ccode\u003eemail\u003c/code\u003e or \u003ccode\u003epassword\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eReview and harden database access controls to limit the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eDisable Javascript to ensure complete website functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T15:16:21Z","date_published":"2026-04-27T15:16:21Z","id":"/briefs/2026-04-online-lot-sqli/","summary":"CVE-2026-7131 is a SQL injection vulnerability in code-projects Online Lot Reservation System up to version 1.0, affecting the /loginuser.php component via manipulation of the email/password arguments, which could allow remote attackers to execute arbitrary SQL queries.","title":"Online Lot Reservation System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-online-lot-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7088"}],"_cs_exploited":false,"_cs_products":["Pharmacy Sales and Inventory System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-7088"],"_cs_type":"advisory","_cs_vendors":["SourceCodester"],"content_html":"\u003cp\u003eSourceCodester Pharmacy Sales and Inventory System version 1.0 is susceptible to SQL injection. The vulnerability resides in the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e file, where manipulation of the \u003ccode\u003eID\u003c/code\u003e argument can lead to arbitrary SQL command execution. This vulnerability allows remote attackers to compromise the application\u0026rsquo;s database. The exploit is publicly available, increasing the risk of exploitation. This vulnerability allows attackers to read, modify, or delete sensitive data, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System version 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003eID\u003c/code\u003e parameter of the request.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the injected SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL query, potentially returning sensitive data to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to bypass authentication, allowing them to access administrative functions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to modify inventory data, manipulate sales records, or create fraudulent transactions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SQL injection to exfiltrate sensitive data such as customer information, financial records, and administrator credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data, modification of inventory and sales records, and potentially full control of the application and underlying server. This could result in financial loss, reputational damage, and legal repercussions for affected organizations. Given the public availability of the exploit, the risk of widespread exploitation is high. The impact could include data breaches, financial fraud, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting SQL Injection Attempts via URI\u003c/code\u003e to identify malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter in the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e file to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as error messages or unusual requests targeting the \u003ccode\u003e/ajax.php?action=save_receiving\u003c/code\u003e endpoint (webserver log source).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of the application or implement a web application firewall (WAF) rule to block malicious requests.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles for database access to limit the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T06:16:03Z","date_published":"2026-04-27T06:16:03Z","id":"/briefs/2026-04-pharmacy-sales-sqli/","summary":"SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection by manipulating the ID argument in the /ajax.php?action=save_receiving file, allowing remote attackers to execute arbitrary SQL commands.","title":"SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pharmacy-sales-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7075"}],"_cs_exploited":false,"_cs_products":["Construction Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2026-7075"],"_cs_type":"advisory","_cs_vendors":["itsourcecode"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in itsourcecode Construction Management System version 1.0. The vulnerability resides within the \u003ccode\u003e/locations.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eaddress\u003c/code\u003e argument. This allows a remote attacker to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. This poses a significant risk as successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire system. The vulnerability has been assigned CVE-2026-7075, and a public exploit is available, increasing the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of itsourcecode Construction Management System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP request to \u003ccode\u003e/locations.php\u003c/code\u003e with a malicious SQL payload embedded in the \u003ccode\u003eaddress\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eaddress\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is incorporated into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker-controlled SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database.\u003c/li\u003e\n\u003cli\u003eAttacker may use the injected queries to modify or delete data.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the confidentiality, integrity, and availability of the Construction Management System.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7075) can lead to unauthorized access to sensitive data, including user credentials, financial records, and project details stored within the Construction Management System database. Attackers could potentially modify or delete critical data, disrupt business operations, or gain complete control over the application and its underlying infrastructure. Given the public availability of the exploit, organizations using the affected version of itsourcecode Construction Management System are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious HTTP requests to \u003ccode\u003e/locations.php\u003c/code\u003e containing potentially malicious SQL syntax in the \u003ccode\u003ecs-uri-query\u003c/code\u003e (webserver logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003eaddress\u003c/code\u003e parameter in \u003ccode\u003e/locations.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, especially requests targeting \u003ccode\u003e/locations.php\u003c/code\u003e with long or complex \u003ccode\u003eaddress\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T02:16:01Z","date_published":"2026-04-27T02:16:01Z","id":"/briefs/2026-04-construction-management-sql-injection/","summary":"A SQL injection vulnerability exists in itsourcecode Construction Management System version 1.0, affecting the processing of the /locations.php file, allowing a remote attacker to inject SQL commands by manipulating the 'address' argument, with a publicly available exploit.","title":"itsourcecode Construction Management System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-construction-management-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7072"}],"_cs_exploited":false,"_cs_products":["canteen_management_system 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-7072","web-application"],"_cs_type":"advisory","_cs_vendors":["CodePanda Source"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in CodePanda Source canteen_management_system version 1.0. The vulnerability resides in the \u003ccode\u003e/api/login.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eUsername\u003c/code\u003e argument. This allows a remote attacker to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. Public exploits are available, increasing the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire application and its underlying database. The affected version is 1.0, and there are no known mitigations other than patching or taking the system offline.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CodePanda Source canteen_management_system version 1.0 instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/api/login.php\u003c/code\u003e with a malicious SQL payload in the \u003ccode\u003eUsername\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eUsername\u003c/code\u003e input before incorporating it into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses SQL injection techniques such as \u003ccode\u003eUNION SELECT\u003c/code\u003e to extract sensitive data from the database.\u003c/li\u003e\n\u003cli\u003eThe extracted data, which may include usernames, passwords, and other confidential information, is sent back to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to the application\u0026rsquo;s administrative interface.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could allow attackers to read sensitive data, modify existing records, or even execute arbitrary code on the database server. This could lead to a complete compromise of the application and its underlying data. Given the nature of a canteen management system, potential data breaches could include personal information of employees or customers, financial data related to transactions, and internal operational details. The impact may be amplified if the database stores other sensitive information, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/api/login.php\u003c/code\u003e containing SQL syntax within the \u003ccode\u003eUsername\u003c/code\u003e parameter to detect potential exploitation attempts (see example rule below).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all user-supplied input, especially the \u003ccode\u003eUsername\u003c/code\u003e parameter in \u003ccode\u003e/api/login.php\u003c/code\u003e, to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor database logs for unusual or unauthorized SQL queries originating from the application to identify potential breaches resulting from SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T01:16:16Z","date_published":"2026-04-27T01:16:16Z","id":"/briefs/2026-04-canteen-sql-injection/","summary":"A SQL injection vulnerability exists in CodePanda Source canteen_management_system version 1.0 within the /api/login.php file by manipulating the Username argument, allowing remote attackers to execute arbitrary SQL commands.","title":"CodePanda Source canteen_management_system SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-canteen-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7070"}],"_cs_exploited":false,"_cs_products":["Inventory Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in code-projects Inventory Management System version 1.0. The vulnerability resides within the Login component and is triggered by manipulating the Username argument. Successful exploitation allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized access to sensitive data, modification of existing records, or even complete database takeover. The vulnerability, identified as CVE-2026-7070, has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected Inventory Management System, potentially leading to data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a login form within the code-projects Inventory Management System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload within the Username field of the login form.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted payload through an HTTP POST request to the login endpoint.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize or validate the input provided in the Username field.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is directly incorporated into an SQL query executed against the backend database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code modifies the intended query, allowing the attacker to bypass authentication or extract data.\u003c/li\u003e\n\u003cli\u003eThe database server executes the modified SQL query, potentially returning sensitive information to the attacker or allowing unauthorized data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive inventory data, customer information, and financial records. Data modification can lead to incorrect inventory levels, disrupted operations, and financial losses. In a worst-case scenario, the attacker could gain complete control over the database server, leading to a full system compromise. This vulnerability impacts organizations using code-projects Inventory Management System 1.0, potentially affecting their reputation, financial stability, and customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts in Web Logs\u003c/code\u003e to identify potential exploitation attempts targeting the Username field in web server logs.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the Username field in the Login component of code-projects Inventory Management System 1.0 to mitigate CVE-2026-7070.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual SQL syntax or error messages indicative of SQL injection attempts based on the \u003ccode\u003eDetect SQL Injection Attempts in Web Logs\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T01:16:15Z","date_published":"2026-04-27T01:16:15Z","id":"/briefs/2026-04-inventory-sql-injection/","summary":"A SQL injection vulnerability exists in code-projects Inventory Management System 1.0 within the Login component, specifically affecting the Username argument, where a remote attacker can manipulate the Username parameter, leading to unauthorized data access or modification.","title":"SQL Injection Vulnerability in code-projects Inventory Management System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-inventory-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7063"}],"_cs_exploited":false,"_cs_products":["Employee Management System 1.0"],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-7063","web-application"],"_cs_type":"advisory","_cs_vendors":["code-projects"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-7063, has been discovered in code-projects Employee Management System version 1.0. The vulnerability resides within the \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e file, specifically affecting the \u003ccode\u003epwd\u003c/code\u003e argument. Successful exploitation allows a remote attacker to inject and execute arbitrary SQL commands against the application\u0026rsquo;s database. Given that the exploit is publicly available, organizations using this system are at immediate risk of unauthorized data access, modification, or deletion. The affected component is the endpoint processing user input, making it a critical point of failure if not properly secured. This vulnerability poses a significant threat due to its ease of exploitation and potential for widespread data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of code-projects Employee Management System 1.0 accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003epwd\u003c/code\u003e parameter, injecting SQL code within the parameter\u0026rsquo;s value.\u003c/li\u003e\n\u003cli\u003eThe server-side code improperly sanitizes or validates the injected SQL code within the \u003ccode\u003epwd\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication or gains elevated privileges through the successful SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive data from the database, such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data within the database, leading to data corruption or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-7063) can lead to complete compromise of the affected Employee Management System. An attacker can gain unauthorized access to sensitive employee data, including personal information, salaries, and performance reviews. The attacker could modify or delete critical data, disrupt business operations, or use the compromised system as a launchpad for further attacks within the organization\u0026rsquo;s network. Given the public availability of the exploit, organizations failing to address this vulnerability are at a high risk of experiencing a data breach and associated financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e containing SQL syntax in the \u003ccode\u003epwd\u003c/code\u003e parameter to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts targeting the vulnerable \u003ccode\u003epwd\u003c/code\u003e parameter in the \u003ccode\u003eeprocess.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003epwd\u003c/code\u003e parameter in \u003ccode\u003e/370project/process/eprocess.php\u003c/code\u003e to prevent SQL injection, addressing CVE-2026-7063.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T23:16:21Z","date_published":"2026-04-26T23:16:21Z","id":"/briefs/2026-04-ems-sqli/","summary":"CVE-2026-7063 is a SQL Injection vulnerability in code-projects Employee Management System 1.0 via the 'pwd' parameter in /370project/process/eprocess.php, enabling remote attackers to execute arbitrary SQL commands.","title":"code-projects Employee Management System SQL Injection Vulnerability (CVE-2026-7063)","url":"https://feed.craftedsignal.io/briefs/2026-04-ems-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7002"}],"_cs_exploited":false,"_cs_products":["SocialMediaWebsite (up to 1.0.1)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["klik"],"content_html":"\u003cp\u003eKLiK SocialMediaWebsite version 1.0.1 and earlier is susceptible to a SQL injection vulnerability (CVE-2026-7002) affecting the Private Message Handler component. This vulnerability resides within the \u003ccode\u003e/includes/get_message_ajax.php\u003c/code\u003e file, and is triggered by manipulating the \u003ccode\u003ec_id\u003c/code\u003e argument. The attack can be launched remotely without authentication, potentially allowing unauthorized access to sensitive data within the application\u0026rsquo;s database. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential data breaches and unauthorized access to user information. The vulnerability was published on April 25, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a KLiK SocialMediaWebsite instance running version 1.0.1 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/includes/get_message_ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003ec_id\u003c/code\u003e parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL query without proper sanitization, leading to unintended data retrieval or modification.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials or private messages.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the stolen credentials to gain unauthorized access to user accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data stored in the KLiK SocialMediaWebsite database. This could include user credentials, private messages, and other personal information. An attacker could potentially gain complete control over the application\u0026rsquo;s data, leading to data breaches, identity theft, and other malicious activities. Given the wide use of social media platforms, a successful attack could affect a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for KLiK SocialMediaWebsite to address CVE-2026-7002.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and sanitization techniques to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to exploit this SQL injection vulnerability by monitoring web server logs for suspicious requests targeting \u003ccode\u003e/includes/get_message_ajax.php\u003c/code\u003e with potentially malicious SQL payloads in the \u003ccode\u003ec_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/includes/get_message_ajax.php\u003c/code\u003e containing SQL keywords (e.g., \u003ccode\u003eSELECT\u003c/code\u003e, \u003ccode\u003eUNION\u003c/code\u003e, \u003ccode\u003eUPDATE\u003c/code\u003e, \u003ccode\u003eINSERT\u003c/code\u003e, \u003ccode\u003eDELETE\u003c/code\u003e) in the \u003ccode\u003ec_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T14:30:00Z","date_published":"2026-04-26T14:30:00Z","id":"/briefs/2026-04-klik-sqli/","summary":"KLiK SocialMediaWebsite up to version 1.0.1 is vulnerable to SQL injection via manipulation of the c_id argument in the /includes/get_message_ajax.php file, specifically affecting the Private Message Handler component, which can be exploited remotely.","title":"KLiK SocialMediaWebsite SQL Injection Vulnerability (CVE-2026-7002)","url":"https://feed.craftedsignal.io/briefs/2026-04-klik-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6987"}],"_cs_exploited":false,"_cs_products":["PicoClaw"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["sipeed"],"content_html":"\u003cp\u003eA command injection vulnerability exists in PicoClaw version 0.2.4, specifically affecting the \u003ccode\u003e/api/gateway/restart\u003c/code\u003e endpoint within the Web Launcher Management Plane component. This flaw allows unauthenticated remote attackers to inject and execute arbitrary commands on the underlying system. The vulnerability, identified as CVE-2026-6987, stems from improper neutralization of special elements in the input to the \u003ccode\u003e/api/gateway/restart\u003c/code\u003e function. The project maintainers were notified through an issue report, but as of the time of disclosure, no response or patch has been released. This vulnerability poses a significant risk, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable PicoClaw instance running version 0.2.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/api/gateway/restart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects OS commands into a parameter processed by the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe PicoClaw application fails to properly sanitize the attacker-supplied input.\u003c/li\u003e\n\u003cli\u003eThe application executes the injected commands with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the initial foothold to escalate privileges, potentially gaining root access.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware, exfiltrates sensitive data, or performs other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability allows a remote attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data theft, or denial of service. Given the nature of command injection, the attacker may be able to escalate privileges and gain full control over the server. The number of potential victims is unknown, but any PicoClaw installation running version 0.2.4 exposed to the network is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches for PicoClaw as soon as they are released to remediate CVE-2026-6987.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003e/api/gateway/restart\u003c/code\u003e endpoint to prevent command injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PicoClaw Restart Requests\u003c/code\u003e to monitor for exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity or suspicious commands executed via HTTP requests, correlating with requests to \u003ccode\u003e/api/gateway/restart\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter malicious requests targeting the \u003ccode\u003e/api/gateway/restart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T17:16:33Z","date_published":"2026-04-25T17:16:33Z","id":"/briefs/2026-04-picoclaw-cmd-injection/","summary":"PicoClaw version 0.2.4 is vulnerable to command injection via the /api/gateway/restart endpoint of the Web Launcher Management Plane, allowing a remote attacker to execute arbitrary commands by manipulating input.","title":"PicoClaw Web Launcher Management Plane Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-picoclaw-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6977"}],"_cs_exploited":false,"_cs_products":["vanna"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","authorization","web application"],"_cs_type":"advisory","_cs_vendors":["vanna-ai"],"content_html":"\u003cp\u003eA security vulnerability, identified as CVE-2026-6977, has been discovered in vanna-ai vanna versions up to 2.0.2. The vulnerability resides within an unspecified function of the Legacy Flask API component. Successful exploitation of this flaw leads to improper authorization, potentially granting unauthorized access to sensitive resources or functionalities. The vulnerability is remotely exploitable and a proof-of-concept exploit is publicly available. The vendor was contacted but did not respond. This vulnerability poses a risk to systems utilizing the affected versions of vanna-ai vanna, as attackers could leverage it to bypass intended access controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable vanna-ai vanna instance running version 2.0.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the Legacy Flask API. The specific endpoint and parameters involved are not defined in the source material.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authorization vulnerability (CVE-2026-6977) within the Legacy Flask API.\u003c/li\u003e\n\u003cli\u003eDue to the improper authorization flaw, the attacker\u0026rsquo;s request bypasses the intended access controls.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application grants the attacker unauthorized access to resources or functionalities that should be restricted.\u003c/li\u003e\n\u003cli\u003eDepending on the accessed resources, the attacker may gain access to sensitive data, modify system settings, or perform other unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges or move laterally within the affected system if further vulnerabilities exist or if the compromised application has elevated permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6977 allows a remote attacker to bypass authorization checks in vanna-ai vanna, potentially leading to unauthorized access to sensitive data or functionality. Given that a public exploit exists, organizations utilizing affected versions of vanna-ai vanna are at increased risk. The lack of vendor response further exacerbates the risk, as no official patch or mitigation guidance is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the Legacy Flask API in vanna-ai vanna, using a webserver category Sigma rule focused on unusual HTTP requests.\u003c/li\u003e\n\u003cli\u003eApply generic hardening and input validation techniques to mitigate the impact of potential exploits targeting web applications.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate the activity from the VulDB references provided in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T11:16:19Z","date_published":"2026-04-25T11:16:19Z","id":"/briefs/2026-04-vanna-ai-authz-bypass/","summary":"An improper authorization vulnerability (CVE-2026-6977) exists in vanna-ai vanna up to version 2.0.2 due to manipulation of an unknown function within the Legacy Flask API, potentially allowing remote attackers to bypass intended access restrictions.","title":"vanna-ai vanna Improper Authorization Vulnerability (CVE-2026-6977)","url":"https://feed.craftedsignal.io/briefs/2026-04-vanna-ai-authz-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41347"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["csrf","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability lies in the lack of browser-origin validation within the HTTP operator endpoints when the application operates in trusted-proxy mode. This allows an attacker to craft malicious HTTP requests originating from a user\u0026rsquo;s browser to perform unauthorized actions within the OpenClaw application. Successful exploitation of this vulnerability enables attackers to execute privileged operations, potentially leading to data modification or unauthorized access to sensitive functionalities. This vulnerability requires the application to be deployed in trusted-proxy mode to be exploitable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTML page containing a forged HTTP request targeting a vulnerable OpenClaw HTTP operator endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious HTML page on a website or delivers it through phishing.\u003c/li\u003e\n\u003cli\u003eA victim user, authenticated to the OpenClaw application, visits the malicious HTML page in their browser.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser automatically sends the forged HTTP request to the vulnerable OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eBecause the OpenClaw application lacks proper browser-origin validation, it processes the forged request.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to perform unauthorized actions as the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify user configurations or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability in OpenClaw can lead to unauthorized modification of application settings, data manipulation, or even complete account takeover. While specific victim numbers are unavailable, the impact extends to any organization utilizing OpenClaw in a trusted-proxy deployment scenario. The vulnerability can potentially compromise data integrity and confidentiality, leading to significant operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41347.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious HTTP requests lacking proper origin validation within your web server logs.\u003c/li\u003e\n\u003cli\u003eImplement proper CSRF protection mechanisms, such as synchronizer tokens, in OpenClaw\u0026rsquo;s HTTP operator endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-csrf/","summary":"OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.","title":"OpenClaw Cross-Site Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34415"}],"_cs_exploited":false,"_cs_products":["Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34415","rce","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a \u0026lsquo;.php4\u0026rsquo; extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file disguised with a \u0026lsquo;.php4\u0026rsquo; extension, bypassing the incomplete input validation.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious PHP file to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to directly access the uploaded PHP file via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PHP4 Uploads\u0026rdquo; to identify potential exploitation attempts by monitoring web server logs for \u0026lsquo;.php4\u0026rsquo; file uploads.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xerte-rce/","summary":"Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-xerte-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Daptin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Daptin"],"content_html":"\u003cp\u003eDaptin versions prior to 0.11.4 are susceptible to a SQL injection vulnerability in the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint. The vulnerability arises because the application fails to properly validate the \u003ccode\u003ecolumn\u003c/code\u003e and \u003ccode\u003egroup\u003c/code\u003e query parameters before passing them to \u003ccode\u003egoqu.L()\u003c/code\u003e. This function is used to build raw SQL literal expressions, thus bypassing parameterization and allowing attackers to inject arbitrary SQL code. Any authenticated user, regardless of privilege level, can exploit this vulnerability. This poses a significant risk as it enables unauthorized data extraction, disclosure of database internals, and cross-table data exfiltration. The vulnerability was reported on 2026-04-22 and assigned CVE-2026-41422.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Daptin application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003ecolumn\u003c/code\u003e or \u003ccode\u003egroup\u003c/code\u003e query parameters. For example, \u003ccode\u003ecolumn=(SELECT group_concat(email) FROM user_account) as leak\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Daptin application receives the request and passes the unvalidated \u003ccode\u003ecolumn\u003c/code\u003e parameter to the \u003ccode\u003egoqu.L()\u003c/code\u003e function in \u003ccode\u003eserver/resource/resource_aggregate.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egoqu.L()\u003c/code\u003e function constructs a raw SQL query using the attacker-controlled input, bypassing any parameterization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the injected SQL query\u0026rsquo;s result from the application\u0026rsquo;s response, which contains sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the extracted data, potentially including user credentials, internal database schema details, or other confidential information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows attackers to perform unauthorized data extraction, including sensitive information like user credentials. An attacker can also disclose database internals and exfiltrate data from multiple tables, even with low-privilege access. The impact includes potential data breaches, compliance violations, and reputational damage. The vulnerability was confirmed to allow extraction of \u003ccode\u003euser_account.email\u003c/code\u003e values by a non-admin user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Daptin to version 0.11.4 or later to patch the SQL injection vulnerability (CVE-2026-41422).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Daptin Aggregate API SQL Injection\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement input validation on the \u003ccode\u003ecolumn\u003c/code\u003e and \u003ccode\u003egroup\u003c/code\u003e parameters in the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint, specifically blocking SQL keywords and functions to mitigate the risk.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-daptin-sql-injection/","summary":"A SQL injection vulnerability exists in Daptin versions prior to 0.11.4 within the `/aggregate/:typename` endpoint, where the `column` and `group` query parameters are passed to `goqu.L()` without validation, allowing authenticated users to inject arbitrary SQL expressions and exfiltrate sensitive data.","title":"Daptin SQL Injection Vulnerability in Aggregate API","url":"https://feed.craftedsignal.io/briefs/2026-04-daptin-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-30869"}],"_cs_exploited":false,"_cs_products":["siyuan"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","siYuan"],"_cs_type":"advisory","_cs_vendors":["siyuan"],"content_html":"\u003cp\u003eSiYuan is vulnerable to a path traversal vulnerability (CVE-2026-30869) due to a redundant \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e call within the \u003ccode\u003eserveExport()\u003c/code\u003e function. The vulnerability exists in versions prior to 3.6.5. This flaw allows an authenticated attacker, including low-privilege users with Publish/Reader roles, to bypass intended security restrictions and access sensitive files stored within the SiYuan workspace. The initial fix attempted with \u003ccode\u003eIsSensitivePath()\u003c/code\u003e proved insufficient as it did not address the core issue of double URL decoding. An attacker can exploit this vulnerability by using double URL encoded characters in a crafted HTTP request, allowing them to read arbitrary files such as the complete SQLite document database (\u003ccode\u003esiyuan.db\u003c/code\u003e), kernel logs, and other critical files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker sends a GET request to the \u003ccode\u003e/export/\u003c/code\u003e endpoint with a double URL encoded path, such as \u003ccode\u003e/export/%252e%252e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Go HTTP server decodes the initial layer of URL encoding, transforming \u003ccode\u003e%25\u003c/code\u003e into \u003ccode\u003e%\u003c/code\u003e, resulting in a path like \u003ccode\u003e/export/%2e%2e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe path cleaner does not recognize \u003ccode\u003e%2e%2e\u003c/code\u003e as directory traversal, so it passes through.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eserveExport()\u003c/code\u003e function then calls \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e on the path, decoding \u003ccode\u003e%2e%2e\u003c/code\u003e into \u003ccode\u003e..\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join()\u003c/code\u003e function concatenates the \u003ccode\u003eexportBaseDir\u003c/code\u003e with the now decoded path, e.g., \u003ccode\u003e\u0026lt;workspace\u0026gt;/../siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIsSensitivePath()\u003c/code\u003e check fails to block the request because it doesn\u0026rsquo;t account for the decoded path or specific database files in the \u003ccode\u003etemp/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of the \u003ccode\u003esiyuan.db\u003c/code\u003e file, which contains the complete document database.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to access other sensitive files within the workspace, such as \u003ccode\u003esiyuan.log\u003c/code\u003e, \u003ccode\u003eblocktree.db\u003c/code\u003e, and \u003ccode\u003easset_content.db\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to exfiltrate sensitive data, including the entire SQLite document database, potentially containing all user documents, attributes, and search indexes. The attacker can also access the kernel log, which may contain internal server paths, versions, configuration details, and error messages. This information disclosure could lead to further compromise of the system. While the number of victims is unknown, any SiYuan instance running a version prior to 3.6.5 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to version 3.6.5 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect SiYuan Path Traversal Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for double URL encoded characters in requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint containing \u003ccode\u003e%252e%252e\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a more robust path validation mechanism within the \u003ccode\u003eserveExport()\u003c/code\u003e function that properly handles URL decoding and directory traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T20:55:31Z","date_published":"2026-04-22T20:55:31Z","id":"/briefs/2026-04-siyuan-path-traversal/","summary":"SiYuan is vulnerable to path traversal via double URL encoding in the `/export/` endpoint, bypassing an incomplete fix for CVE-2026-30869; an authenticated attacker can exploit this vulnerability to traverse directories and read arbitrary workspace files, including the SQLite database (`siyuan.db`), kernel log, and user documents due to a redundant `url.PathUnescape()` call in `serveExport()`.","title":"SiYuan Path Traversal via Double URL Encoding in `/export/` Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41190"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","authorization","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout is a self-hosted help desk and shared mailbox platform. Prior to version 1.8.215, a vulnerability exists related to authorization controls when the \u003ccode\u003eAPP_SHOW_ONLY_ASSIGNED_CONVERSATIONS\u003c/code\u003e setting is enabled. Specifically, the \u003ccode\u003esave_draft\u003c/code\u003e AJAX endpoint lacks proper authorization checks. This allows an attacker to potentially bypass intended access restrictions and create drafts within conversations that they should not be able to access, leading to unauthorized modification or viewing of conversation data. This vulnerability was addressed in version 1.8.215.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a FreeScout instance running a version prior to 1.8.215 with \u003ccode\u003eAPP_SHOW_ONLY_ASSIGNED_CONVERSATIONS\u003c/code\u003e enabled.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the FreeScout instance with a valid, but unauthorized user account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the conversation ID of a conversation they are not assigned to and cannot normally access via the UI.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to the \u003ccode\u003e/index.php?m=conversations\u0026amp;a=save_draft\u003c/code\u003e endpoint, including the conversation ID and the draft content they wish to create.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks on the \u003ccode\u003esave_draft\u003c/code\u003e endpoint, accepts the POST request.\u003c/li\u003e\n\u003cli\u003eA draft is created within the targeted conversation, associated with the attacker\u0026rsquo;s user account.\u003c/li\u003e\n\u003cli\u003eThe attacker, or potentially other unauthorized users who later gain access to the attacker\u0026rsquo;s account, can view or modify the drafted content, potentially exfiltrating sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized users to create drafts within conversations they are not assigned to. This could lead to the unauthorized viewing or modification of sensitive information contained within the conversations, potentially leading to data breaches or compliance violations. The vulnerability affects FreeScout instances running versions prior to 1.8.215 with the specific \u003ccode\u003eAPP_SHOW_ONLY_ASSIGNED_CONVERSATIONS\u003c/code\u003e setting enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.215 or later to remediate the vulnerability (references: \u003ca href=\"https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215)\"\u003ehttps://github.com/freescout-help-desk/freescout/releases/tag/1.8.215)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/index.php?m=conversations\u0026amp;a=save_draft\u003c/code\u003e endpoint originating from unusual IP addresses or user agents using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter or block unauthorized POST requests to the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-freescout-auth-bypass/","summary":"FreeScout before 1.8.215 has an incorrect authorization vulnerability where a direct POST request to the `save_draft` AJAX path can create a draft inside a hidden conversation when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, potentially allowing unauthorized access or modification of data.","title":"FreeScout Incorrect Authorization Vulnerability via Save Draft","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6249"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6249","rce","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVvveb CMS version 1.0.8 is susceptible to a remote code execution (RCE) vulnerability (CVE-2026-6249) due to insufficient input validation in the media upload handler. An authenticated attacker can exploit this flaw by uploading a malicious PHP webshell disguised with a \u003ccode\u003e.phtml\u003c/code\u003e extension, which bypasses the server\u0026rsquo;s intended extension deny-list. The uploaded webshell is then accessible within the publicly available media directory. By crafting a specific HTTP request to access the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file, the attacker can trigger the execution of arbitrary operating system commands on the server, leading to a complete compromise of the system. This vulnerability poses a significant threat to organizations utilizing Vvveb CMS 1.0.8, potentially enabling attackers to steal sensitive data, disrupt services, or establish a persistent foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Vvveb CMS 1.0.8 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the media upload functionality within the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP webshell file, named with a \u003ccode\u003e.phtml\u003c/code\u003e extension, crafted to execute operating system commands.\u003c/li\u003e\n\u003cli\u003eThe CMS stores the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file in the publicly accessible media directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request targeting the uploaded \u003ccode\u003e.phtml\u003c/code\u003e file in the media directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the \u003ccode\u003e.phtml\u003c/code\u003e file upon receiving the attacker\u0026rsquo;s HTTP request.\u003c/li\u003e\n\u003cli\u003eThe PHP code executes arbitrary operating system commands, as defined by the attacker in the webshell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the server, potentially leading to data theft, service disruption, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6249 allows an attacker to execute arbitrary operating system commands on the Vvveb CMS server. This could lead to a full compromise of the system, including the theft of sensitive data stored in the CMS database, modification of website content, or the deployment of malicious software. Organizations using Vvveb CMS 1.0.8 are at risk of data breaches, financial losses, and reputational damage if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb CMS to a patched version that addresses CVE-2026-6249.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on all file upload functionalities to prevent the upload of malicious files.\u003c/li\u003e\n\u003cli\u003eConfigure the web server to prevent the execution of PHP code within the media directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PHTML Request\u003c/code\u003e to identify attempts to access \u003ccode\u003e.phtml\u003c/code\u003e files in the media directory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting unusual file extensions in media directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-vvveb-rce/","summary":"Vvveb CMS 1.0.8 is vulnerable to remote code execution, allowing authenticated attackers to upload a PHP webshell with a .phtml extension, bypass extension restrictions, and execute arbitrary operating system commands by requesting the uploaded file.","title":"Vvveb CMS 1.0.8 Remote Code Execution via Malicious Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-vvveb-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6635"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6635","authentication bypass","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the \u003ccode\u003etool_call\u003c/code\u003e function located in the \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e file of the \u003ccode\u003etools_webhook\u003c/code\u003e component.  The vulnerability stems from the improper handling of the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etool_call\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument with a crafted payload designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003etool_call\u003c/code\u003e function fails to properly validate the manipulated \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker unauthorized access based on the bypassed authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.\u003c/li\u003e\n\u003cli\u003eDepending on the application\u0026rsquo;s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application\u0026rsquo;s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation to \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument using \u003ccode\u003etool_call\u003c/code\u003e function within \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e to prevent improper authentication (CVE-2026-6635).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests targeting the \u003ccode\u003etool_call\u003c/code\u003e function with unusual \u003ccode\u003eX-Tools-JWE\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T12:16:09Z","date_published":"2026-04-20T12:16:09Z","id":"/briefs/2026-04-rowboat-auth-bypass/","summary":"An improper authentication vulnerability in rowboatlabs rowboat \u003c=0.1.67 allows remote attackers to bypass authentication by manipulating the X-Tools-JWE argument in the tool_call function, potentially leading to unauthorized access and control.","title":"Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)","url":"https://feed.craftedsignal.io/briefs/2026-04-rowboat-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6629","sql-injection","web-application","metasoft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-6629, has been discovered in Metasoft 美特软件 MetaCRM versions up to 6.4.0. The vulnerability resides within the \u003ccode\u003esql.jsp\u003c/code\u003e file, specifically affecting the \u003ccode\u003eStatement.executeUpdate\u003c/code\u003e function of the Interface component. The vulnerability allows remote attackers to inject arbitrary SQL commands by manipulating the \u003ccode\u003esql\u003c/code\u003e argument. Public exploit code is available, increasing the risk of exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat to organizations using the affected MetaCRM versions, potentially leading to data breaches, system compromise, and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Metasoft MetaCRM instance running a vulnerable version (\u0026lt;= 6.4.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003esql.jsp\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003esql\u003c/code\u003e parameter to inject SQL code.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL injection payload is passed to the \u003ccode\u003eStatement.executeUpdate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe database server executes the malicious SQL command.\u003c/li\u003e\n\u003cli\u003eThe attacker can read sensitive data from the database, modify existing data, or execute administrative commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system, potentially leading to complete system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to a range of severe consequences, including unauthorized data access, data modification, and complete system compromise. Attackers could steal sensitive customer data, financial records, or intellectual property. They might also be able to modify existing data to cause financial losses or disrupt business operations. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available. The CVSS score of 7.3 reflects the high potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests targeting \u003ccode\u003esql.jsp\u003c/code\u003e with potentially malicious SQL queries in the \u003ccode\u003esql\u003c/code\u003e parameter to detect exploitation attempts. Reference the Sigma rule \u003ccode\u003eDetect-Metasoft-MetaCRM-SQL-Injection\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect-Metasoft-MetaCRM-SQL-Error\u003c/code\u003e to detect SQL errors that may indicate injection attempts.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003esql\u003c/code\u003e parameter in \u003ccode\u003esql.jsp\u003c/code\u003e to prevent SQL injection. This requires modifying the application code.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual database activity originating from the web server, such as large data transfers or unauthorized access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T11:16:18Z","date_published":"2026-04-20T11:16:18Z","id":"/briefs/2026-04-metasoft-crm-sql-injection/","summary":"A SQL injection vulnerability (CVE-2026-6629) exists in Metasoft MetaCRM up to version 6.4.0, allowing remote attackers to execute arbitrary SQL commands via manipulation of the sql argument in the Statement.executeUpdate function of the sql.jsp file.","title":"Metasoft MetaCRM SQL Injection Vulnerability (CVE-2026-6629)","url":"https://feed.craftedsignal.io/briefs/2026-04-metasoft-crm-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-5964"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-injection","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEasyFlow .NET, a product developed by Digiwin, is affected by a critical SQL Injection vulnerability (CVE-2026-5964). This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. This can lead to the unauthorized reading, modification, or deletion of sensitive database contents. The vulnerability poses a significant risk, as it requires no prior authentication and can be exploited remotely. Public reports detailing the vulnerability were released in April 2026, and exploitation attempts are anticipated to increase. Defenders should prioritize patching and implementing detection mechanisms to mitigate potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an EasyFlow .NET instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing SQL injection payloads within a vulnerable parameter.\u003c/li\u003e\n\u003cli\u003eThe EasyFlow .NET application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL command, potentially revealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts data from the database, such as user credentials or proprietary information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to modify database records, such as escalating privileges or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker may delete data from the database, leading to denial of service or data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability allows unauthenticated attackers to read, modify, and delete data within the EasyFlow .NET database. This can lead to the compromise of sensitive information, including user credentials, financial data, and proprietary business information. Modified data can disrupt business operations or facilitate further attacks. Data deletion can cause significant data loss and system instability. Due to the critical nature of the vulnerability and the ease of exploitation, organizations using EasyFlow .NET are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to the latest version of EasyFlow .NET provided by Digiwin to remediate CVE-2026-5964.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts in HTTP Requests\u0026rdquo; to identify exploitation attempts targeting web servers.\u003c/li\u003e\n\u003cli\u003eImplement input validation and parameterized queries to prevent SQL injection vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests containing common SQL injection keywords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T08:16:10Z","date_published":"2026-04-20T08:16:10Z","id":"/briefs/2026-04-easyflow-sqli/","summary":"Digiwin's EasyFlow .NET is susceptible to a SQL Injection vulnerability, enabling unauthenticated remote attackers to inject arbitrary SQL commands for unauthorized database access, modification, and deletion.","title":"Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5964)","url":"https://feed.craftedsignal.io/briefs/2026-04-easyflow-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6580"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6580","djangoblog","hardcoded-key","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-6580, has been identified in liangliangyy DjangoBlog, specifically versions up to 2.1.0.0. The flaw resides within the Amap API Call Handler in the \u003ccode\u003eowntracks/views.py\u003c/code\u003e file. By manipulating the \u003ccode\u003ekey\u003c/code\u003e argument during API calls, a remote attacker can force the application to use a hard-coded cryptographic key. This vulnerability allows unauthorized access or modification of data that relies on this key for security. The exploit is publicly available, increasing the risk of widespread exploitation. The vendor has been notified but has not provided a response or patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable DjangoBlog instance running a version up to 2.1.0.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Amap API Call Handler (\u003ccode\u003eowntracks/views.py\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003ekey\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe DjangoBlog application processes the request and, due to the vulnerability, uses the hard-coded cryptographic key.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hard-coded key to bypass authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or functionality protected by the Amap API.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially modifies data or performs actions on behalf of legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6580 allows attackers to bypass authentication, potentially leading to unauthorized data access, data modification, or complete system compromise. This could affect all users of the DjangoBlog instance. Given the availability of a public exploit, unpatched systems are at high risk of being targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests targeting \u003ccode\u003eowntracks/views.py\u003c/code\u003e with unusual \u003ccode\u003ekey\u003c/code\u003e parameter values to detect potential exploitation attempts (see the Sigma rule below).\u003c/li\u003e\n\u003cli\u003eApply a patch as soon as it becomes available from the vendor to remediate CVE-2026-6580.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003ekey\u003c/code\u003e parameter in the Amap API Call Handler to prevent exploitation (mitigation, not detection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T23:16:33Z","date_published":"2026-04-19T23:16:33Z","id":"/briefs/2026-04-djangoblog-hardcoded-key/","summary":"CVE-2026-6580 describes a vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 where manipulation of the 'key' argument in the Amap API Call Handler leads to the use of a hard-coded cryptographic key, enabling remote exploitation.","title":"liangliangyy DjangoBlog Hardcoded Cryptographic Key Vulnerability (CVE-2026-6580)","url":"https://feed.craftedsignal.io/briefs/2026-04-djangoblog-hardcoded-key/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6577"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6577","djangoblog","authentication-bypass","gps-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6577 is an authentication bypass vulnerability affecting liangliangyy DjangoBlog versions up to 2.1.0.0. The vulnerability exists within an unknown function of the \u003ccode\u003eowntracks/views.py\u003c/code\u003e file related to the \u003ccode\u003elogtracks\u003c/code\u003e endpoint. Due to missing authentication, a remote attacker can inject arbitrary GPS data without proper authorization. This can lead to manipulation of location data, unauthorized access to location-based features, and potentially further compromise of the application. A public exploit for this vulnerability is available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using DjangoBlog, potentially impacting data integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a DjangoBlog instance running a vulnerable version (\u0026lt;= 2.1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/owntracks/views.py\u003c/code\u003e \u003ccode\u003elogtracks\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary GPS data, bypassing the authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eThe DjangoBlog application processes the crafted request without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe injected GPS data is stored and associated with a user or device, potentially overwriting legitimate data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to location-based features or data due to the injected GPS coordinates.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised location data to perform further malicious activities, such as tracking user movements or manipulating location-based services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6577 allows attackers to inject arbitrary GPS data into vulnerable DjangoBlog instances. This can lead to the manipulation of user location data, potentially impacting location-based services and features. An attacker can track user movements, access restricted resources based on location, or even impersonate legitimate users. Given the availability of a public exploit, unpatched DjangoBlog instances are at high risk of compromise, potentially affecting hundreds of deployments. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious GPS Data Injection\u003c/code\u003e to your SIEM to identify exploitation attempts targeting the \u003ccode\u003elogtracks\u003c/code\u003e endpoint (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/owntracks/views.py\u003c/code\u003e with unusual parameters or patterns, potentially indicating malicious GPS data injection (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor application logs for any anomalies related to GPS data processing or location-based services, which might be signs of successful exploitation (logsource: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T20:16:28Z","date_published":"2026-04-19T20:16:28Z","id":"/briefs/2026-04-djangoblog-auth-bypass/","summary":"A critical authentication bypass vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 (CVE-2026-6577) allows remote attackers to inject arbitrary GPS data without authentication via the logtracks endpoint, potentially leading to data manipulation and unauthorized access.","title":"liangliangyy DjangoBlog Authentication Bypass Vulnerability (CVE-2026-6577)","url":"https://feed.craftedsignal.io/briefs/2026-04-djangoblog-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6574"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6574","hardcoded-credentials","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eosuuu LightPicture, up to version 1.2.2, is vulnerable to a hardcoded credentials exposure vulnerability (CVE-2026-6574). This flaw resides within the API Upload Endpoint and is triggered when processing the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file. An attacker can manipulate the \u003ccode\u003ekey\u003c/code\u003e argument to exploit this vulnerability. The vendor has been notified about the vulnerability but has not responded. Public exploits are available, increasing the risk of exploitation. This vulnerability allows an attacker to potentially gain unauthorized access and control over the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of osuuu LightPicture running version 1.2.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the API Upload Endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003ekey\u003c/code\u003e argument within the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file path.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003ekey\u003c/code\u003e argument, the application exposes hardcoded credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed hardcoded credentials from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the acquired credentials to authenticate and gain unauthorized access to the application.\u003c/li\u003e\n\u003cli\u003eWith unauthorized access, the attacker can perform malicious activities such as data theft, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6574 can lead to complete compromise of the osuuu LightPicture application and potentially the underlying server. The vulnerability exposes hardcoded credentials, enabling attackers to bypass authentication and gain administrative privileges. The impact includes unauthorized access to sensitive data, modification of application settings, and potential disruption of service. The vulnerability affects all installations of osuuu LightPicture up to version 1.2.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious LP.SQL Access\u003c/code\u003e to identify attempts to access the vulnerable file (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ekey\u003c/code\u003e argument within the API Upload Endpoint to prevent manipulation (reference CVE-2026-6574).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file with unusual parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not possible, implement a web application firewall (WAF) rule to block requests containing malicious patterns in the \u003ccode\u003ekey\u003c/code\u003e argument (log source: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T14:16:11Z","date_published":"2026-04-19T14:16:11Z","id":"/briefs/2026-04-lightpicture-hardcoded-creds/","summary":"CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture \u003c= 1.2.2, leading to hardcoded credentials exposure.","title":"osuuu LightPicture Hardcoded Credentials Vulnerability (CVE-2026-6574)","url":"https://feed.craftedsignal.io/briefs/2026-04-lightpicture-hardcoded-creds/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40285"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wegia","sql-injection","cve-2026-40285","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeGIA, a web manager for charitable institutions, is susceptible to a SQL injection vulnerability affecting versions prior to 3.6.10. This flaw, identified as CVE-2026-40285, resides in the \u003ccode\u003edao/memorando/UsuarioDAO.php\u003c/code\u003e file. The vulnerability stems from the insecure handling of the \u003ccode\u003ecpf_usuario\u003c/code\u003e POST parameter within the \u003ccode\u003eDespachoControle::verificarDespacho()\u003c/code\u003e function, where the \u003ccode\u003eextract($_REQUEST)\u003c/code\u003e function overwrites the session-stored user identity. An attacker can then manipulate the \u003ccode\u003ecpf_usuario\u003c/code\u003e value, which is subsequently interpolated directly into a raw SQL query. This allows an authenticated user to execute arbitrary SQL queries with the privileges of an arbitrary user, potentially gaining unauthorized access to sensitive data. WeGIA version 3.6.10 addresses and resolves this critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WeGIA web application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the endpoint associated with \u003ccode\u003eDespachoControle::verificarDespacho()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003ecpf_usuario\u003c/code\u003e parameter with a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eextract($_REQUEST)\u003c/code\u003e function processes the POST data, overwriting the legitimate session-stored user identity with the attacker-controlled \u003ccode\u003ecpf_usuario\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe application constructs a raw SQL query, directly interpolating the malicious \u003ccode\u003ecpf_usuario\u003c/code\u003e value into the query string without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe database executes the crafted SQL query, effectively querying the database as an arbitrary user specified by the attacker in the \u003ccode\u003ecpf_usuario\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the SQL injection to perform unauthorized data retrieval, modification, or deletion within the WeGIA application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-40285) allows attackers to bypass authentication and access sensitive data within the WeGIA application. This could lead to the compromise of user accounts, financial records, or other confidential information managed by charitable institutions using WeGIA. The impact could range from data breaches and financial losses to reputational damage and legal repercussions for the affected organizations. The CVSS v3.1 base score of 8.8 indicates a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40285.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts by monitoring for POST requests containing potentially malicious SQL injection payloads in the \u003ccode\u003ecpf_usuario\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for all user-supplied data, especially within the \u003ccode\u003eDespachoControle::verificarDespacho()\u003c/code\u003e function to prevent future SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests targeting WeGIA endpoints to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-wegia-sqli/","summary":"WeGIA versions prior to 3.6.10 are vulnerable to SQL injection via the cpf_usuario POST parameter, allowing authenticated users to query the database under an arbitrary identity.","title":"WeGIA SQL Injection Vulnerability (CVE-2026-40285)","url":"https://feed.craftedsignal.io/briefs/2026-04-wegia-sqli/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-40315"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","praisonai","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a software application, contains a critical SQL injection vulnerability affecting nine of its conversation store backends, including MySQL, PostgreSQL, and others. The vulnerability stems from the improper handling of the \u003ccode\u003etable_prefix\u003c/code\u003e parameter, which is passed directly into SQL queries without adequate validation. Specifically, backends such as MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB are affected. In addition, the PostgreSQL backend is vulnerable due to the unvalidated \u003ccode\u003eschema\u003c/code\u003e parameter. This flaw allows an attacker to inject arbitrary SQL commands, potentially gaining unauthorized access to sensitive data. The incomplete fix for CVE-2026-40315 only addressed the SQLite backend, leaving other backends exposed. This vulnerability exists in PraisonAI versions 4.5.148 and earlier, as well as PraisonAI Agents versions 1.6.7 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PraisonAI instance where the \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e (PostgreSQL) parameter is derived from external input (e.g., API request, user-modifiable configuration).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e string containing SQL injection payload (e.g., \u0026ldquo;x\u0026rsquo;; DROP TABLE users; \u0026ndash;\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e via the vulnerable input vector.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI application receives the crafted \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e and incorporates it into a dynamically generated SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected SQL commands are executed, potentially allowing them to read, modify, or delete data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, such as user credentials, financial information, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges, compromise other systems, or perform further malicious activities within the affected environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The attacker can read sensitive data, modify existing records, inject malicious code, or even drop entire tables. This can result in significant data loss, financial damage, and reputational harm for affected organizations. This vulnerability is exploitable in any deployment where the \u003ccode\u003etable_prefix\u003c/code\u003e is derived from external input, such as in multi-tenant setups or API-driven configurations. The PostgreSQL \u003ccode\u003eschema\u003c/code\u003e parameter provides an additional injection point, further expanding the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003etable_prefix\u003c/code\u003e parameter in all database backends, mirroring the fix implemented for \u003ccode\u003esqlite.py\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eschema\u003c/code\u003e parameter in the PostgreSQL backend, as noted in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Table Prefix\u003c/code\u003e to detect attempts to exploit this vulnerability in MySQL and PostgreSQL backends, as detailed below.\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version that includes proper input validation for \u003ccode\u003etable_prefix\u003c/code\u003e and \u003ccode\u003eschema\u003c/code\u003e parameters, targeting versions later than 4.5.148 for PraisonAI and later than 1.6.7 for PraisonAI Agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-praisonai-sqli/","summary":"PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.","title":"PraisonAI Multiple Backends Vulnerable to SQL Injection via Unvalidated Table Prefix","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["yeswiki","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eYesWiki versions 4.6.0 and earlier are vulnerable to SQL injection in the bazar module. This vulnerability exists in \u003ccode\u003etools/bazar/services/EntryManager.php\u003c/code\u003e within the \u003ccode\u003eformatDataBeforeSave()\u003c/code\u003e function. The \u003ccode\u003e$data['id_fiche']\u003c/code\u003e value, derived from the \u003ccode\u003e$_POST['id_fiche']\u003c/code\u003e parameter, is directly concatenated into a raw SQL query without proper sanitization. An authenticated attacker can exploit this by sending a crafted POST request to the \u003ccode\u003e/api/entries/{formId}\u003c/code\u003e endpoint. Successful exploitation enables time-based blind SQL injection, potentially leading to complete database compromise. The vulnerability was confirmed using a Docker PoC demonstrating the ability to induce a time delay using the SLEEP() function within the injected SQL.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the YesWiki application as any user. This requires a valid \u003ccode\u003ewikini_session\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003e/api/entries/{formId}\u003c/code\u003e, where \u003ccode\u003e{formId}\u003c/code\u003e is the ID of an existing bazar form.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eid_fiche\u003c/code\u003e parameter with a malicious SQL payload, such as \u003ccode\u003e' OR SLEEP(3) OR '\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eApiController::createEntry()\u003c/code\u003e processes the request and calls \u003ccode\u003eisEntry($_POST['id_fiche'])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSince the injected SQL will likely not correspond to an existing entry, the \u003ccode\u003ecreate()\u003c/code\u003e method is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate()\u003c/code\u003e method calls \u003ccode\u003eformatDataBeforeSave()\u003c/code\u003e, which contains the SQL injection vulnerability at line 704 in \u003ccode\u003eEntryManager.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is executed by the database server via \u003ccode\u003edbService-\u0026gt;loadSingle()\u003c/code\u003e, without proper escaping or parameterization.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker can extract sensitive information from the database, such as usernames, passwords, and other confidential data. They can also modify data within the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the complete compromise of the YesWiki database. This includes the potential to access and exfiltrate sensitive data, such as user credentials, configuration details, and business-critical information. Attackers can also modify or delete data, leading to data integrity issues and service disruption. Since any authenticated user can trigger the vulnerability, the impact is widespread. The vulnerability affects composer/yeswiki/yeswiki versions 4.6.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch in \u003ccode\u003etools/bazar/services/EntryManager.php\u003c/code\u003e by escaping the \u003ccode\u003e$data['id_fiche']\u003c/code\u003e value before using it in the SQL query (see Proposed Fix in Content section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect YesWiki SQL Injection Attempt via API Entries\u0026rdquo; to detect attempts to exploit this vulnerability via suspicious \u003ccode\u003eid_fiche\u003c/code\u003e POST data.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/entries/*\u003c/code\u003e with unusually long or complex \u003ccode\u003eid_fiche\u003c/code\u003e parameters, as this could indicate a SQL injection attempt.\u003c/li\u003e\n\u003cli\u003eReview and audit all database queries within the YesWiki application to identify and remediate any other potential SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:00:30Z","date_published":"2026-04-18T01:00:30Z","id":"/briefs/2024-01-24-yeswiki-sqli/","summary":"YesWiki is vulnerable to authenticated SQL Injection via the id_fiche parameter in the EntryManager::formatDataBeforeSave() function, allowing attackers to inject arbitrary SQL commands and potentially extract sensitive data.","title":"YesWiki Authenticated SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-yeswiki-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-40348"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-40348","movary","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMovary, a self-hosted web application for tracking and rating movies, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-40348) in versions prior to 0.71.1. This flaw allows authenticated users to manipulate the \u003ccode\u003e/settings/jellyfin/server-url-verify\u003c/code\u003e endpoint to initiate server-side HTTP requests to arbitrary internal targets. The application uses the Guzzle HTTP client to send requests based on a user-supplied URL, to which \u003ccode\u003e/system/info/public\u003c/code\u003e is appended. The absence of input validation on the target URL allows attackers to bypass intended restrictions and access internal network resources. This vulnerability enables threat actors to perform internal reconnaissance activities such as host discovery, port scanning, and service fingerprinting. Successful exploitation can lead to further compromise by exposing internal administrative interfaces or cloud metadata endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Movary web application with a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal resource, such as \u003ccode\u003ehttp://127.0.0.1/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/settings/jellyfin/server-url-verify\u003c/code\u003e with the crafted URL as the \u003ccode\u003eserverUrl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Movary server receives the request and appends \u003ccode\u003e/system/info/public\u003c/code\u003e to the user-provided URL.\u003c/li\u003e\n\u003cli\u003eThe Movary server uses the Guzzle HTTP client to initiate an HTTP request to the modified URL (e.g., \u003ccode\u003ehttp://127.0.0.1/system/info/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe internal service at the targeted IP address responds to the Movary server.\u003c/li\u003e\n\u003cli\u003eBased on the HTTP response code and content, the attacker can infer the existence and status of internal services. This allows for port scanning and service fingerprinting.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered services to escalate privileges, potentially accessing sensitive data or internal administrative panels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SSRF vulnerability (CVE-2026-40348) in Movary can enable attackers to discover internal network infrastructure and identify vulnerable services. This can allow attackers to gain unauthorized access to sensitive information, pivot to other internal systems, or perform other malicious activities. Although no specific victim count is given, the impact of this vulnerability is potentially high for any organization using a vulnerable version of Movary.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Movary to version 0.71.1 or later to patch the SSRF vulnerability (CVE-2026-40348).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Movary SSRF Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to sensitive internal services, limiting the impact of potential SSRF attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T00:16:38Z","date_published":"2026-04-18T00:16:38Z","id":"/briefs/2026-04-movary-ssrf/","summary":"Movary versions before 0.71.1 are vulnerable to server-side request forgery (SSRF) via the `/settings/jellyfin/server-url-verify` endpoint, allowing authenticated users to probe internal network resources.","title":"Movary SSRF Vulnerability (CVE-2026-40348)","url":"https://feed.craftedsignal.io/briefs/2026-04-movary-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40349"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","cve-2026-40349"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMovary is a self-hosted web application designed for users to track and rate movies they have watched. Prior to version 0.71.1, the application contains a privilege escalation vulnerability (CVE-2026-40349). An authenticated user could modify their account to gain administrative privileges without proper authorization. This is achieved by sending a PUT request to the \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e endpoint with the \u003ccode\u003eisAdmin\u003c/code\u003e field set to \u003ccode\u003etrue\u003c/code\u003e. This vulnerability exists because the application fails to implement sufficient authorization checks before updating the sensitive \u003ccode\u003eisAdmin\u003c/code\u003e field. Version 0.71.1 addresses this issue, mitigating the risk of unauthorized privilege escalation. The vulnerable versions expose self-hosted Movary instances to potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Movary instance with a valid, non-administrative user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e endpoint that manages user profile settings.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PUT request to \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e, substituting \u003ccode\u003e{userId}\u003c/code\u003e with their own user ID.\u003c/li\u003e\n\u003cli\u003eThe PUT request includes the parameter \u003ccode\u003eisAdmin=true\u003c/code\u003e within the request body, attempting to modify the user\u0026rsquo;s privilege level.\u003c/li\u003e\n\u003cli\u003eThe Movary server processes the PUT request without performing adequate authorization checks to verify the user\u0026rsquo;s authority to modify the \u003ccode\u003eisAdmin\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe server updates the user\u0026rsquo;s account, setting the \u003ccode\u003eisAdmin\u003c/code\u003e flag to \u003ccode\u003etrue\u003c/code\u003e, effectively granting the attacker administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and back into the Movary instance.\u003c/li\u003e\n\u003cli\u003eUpon re-authentication, the attacker now possesses administrative privileges and can access and modify sensitive data, configurations, and potentially compromise the entire Movary instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain full administrative control over a Movary instance. This could lead to unauthorized access to user data, modification or deletion of movies and ratings, and potentially complete compromise of the server hosting the application. The number of affected instances is unknown but depends on the number of deployments running vulnerable versions of Movary. The severity is high, as it allows a low-privilege user to gain complete control over the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Movary instances to version 0.71.1 or later to remediate the vulnerability (references: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious PUT requests to \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e attempting to modify the \u003ccode\u003eisAdmin\u003c/code\u003e parameter (references: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement input validation and authorization checks on the server-side to prevent unauthorized modification of sensitive user attributes (references: CVE-2026-40349 description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T00:16:38Z","date_published":"2026-04-18T00:16:38Z","id":"/briefs/2026-04-movary-privesc/","summary":"Movary versions prior to 0.71.1 allow authenticated users to escalate privileges to administrator by manipulating the `isAdmin` field via a PUT request to the `/settings/users/{userId}` endpoint, due to missing authorization checks.","title":"Movary Privilege Escalation Vulnerability (CVE-2026-40349)","url":"https://feed.craftedsignal.io/briefs/2026-04-movary-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40286"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","web-application","cve-2026-40286"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeGIA, a web manager for charitable institutions, is vulnerable to Stored Cross-Site Scripting (XSS) in versions prior to 3.6.10. The vulnerability, identified as CVE-2026-40286, resides in the \u0026lsquo;Member Registration\u0026rsquo; function, specifically the \u0026lsquo;Member Name\u0026rsquo; field. Attackers can inject malicious JavaScript code into this field. Because input is not properly validated and sanitized, the injected script is then stored in the application database.  Any user accessing the profile containing the malicious script will have the script executed in their browser.  This can lead to session hijacking, credential theft, or defacement. WeGIA version 3.6.10 addresses this vulnerability by implementing proper input sanitization. This vulnerability was reported on April 17, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable WeGIA instance running a version prior to 3.6.10.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the \u0026lsquo;Member Registration\u0026rsquo; (Cadastrar Sócio) page.\u003c/li\u003e\n\u003cli\u003eIn the \u0026lsquo;Member Name\u0026rsquo; (Nome Sócio) field, the attacker injects a malicious JavaScript payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;);\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the registration form.\u003c/li\u003e\n\u003cli\u003eThe WeGIA application stores the malicious payload in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA legitimate user navigates to a page displaying the compromised \u0026lsquo;Member Name\u0026rsquo; field, such as a member profile page.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed within the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing cookies or redirecting the user to a malicious website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability could lead to a range of consequences, including account compromise, data theft, and website defacement. An attacker could steal session cookies and impersonate legitimate users, gaining unauthorized access to sensitive information.  Due to the vulnerability residing in a web application, impact is limited to the users of the application, potentially exposing sensitive information and allowing threat actors the ability to modify the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40286.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, especially in the \u0026lsquo;Member Name\u0026rsquo; field, to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect WeGIA XSS Attempt via HTTP Request\u0026quot;\u003c/code\u003e to detect potential XSS payloads in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious activity, such as unusual characters or script tags in HTTP request parameters, to identify potential XSS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T21:16:34Z","date_published":"2026-04-17T21:16:34Z","id":"/briefs/2026-04-wegia-xss/","summary":"A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10, allowing attackers to inject malicious scripts into the 'Member Name' field during member registration, leading to persistent execution upon user access.","title":"WeGIA Stored Cross-Site Scripting Vulnerability (CVE-2026-40286)","url":"https://feed.craftedsignal.io/briefs/2026-04-wegia-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34393"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["weblate","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, contains an improper privilege management vulnerability (CVE-2026-34393) affecting versions prior to 5.17. The vulnerability lies in the user patching API endpoint, which doesn\u0026rsquo;t adequately restrict the scope of edits allowed. An attacker with low privileges could potentially exploit this flaw to modify data or settings beyond their authorized permissions. This issue was reported and patched in Weblate version 5.17. Successful exploitation can lead to data integrity issues, unauthorized access to sensitive information, and potentially, complete compromise of the Weblate instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Weblate with a low-privileged user account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the user patching API endpoint (e.g., \u003ccode\u003e/api/users/\u0026lt;user_id\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious API request to modify attributes of a different user account, potentially an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the request to the vulnerable API endpoint, exploiting the lack of proper scope validation.\u003c/li\u003e\n\u003cli\u003eThe Weblate server processes the request without correctly verifying the attacker\u0026rsquo;s authorization to modify the target user\u0026rsquo;s attributes.\u003c/li\u003e\n\u003cli\u003eThe target user\u0026rsquo;s attributes are modified according to the attacker\u0026rsquo;s request, potentially elevating the attacker\u0026rsquo;s privileges or compromising the target user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data or perform unauthorized actions within the Weblate system.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access by creating new admin accounts or backdoors within the Weblate system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34393 can lead to significant data breaches, unauthorized modifications, and complete compromise of the Weblate instance. An attacker could gain administrative access, modify translations, and potentially inject malicious content into localized software. The number of affected installations is currently unknown, but any Weblate instance running a version prior to 5.17 is vulnerable. Organizations that rely on Weblate for their localization workflows are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Weblate to version 5.17 or later to patch CVE-2026-34393.\u003c/li\u003e\n\u003cli\u003eMonitor Weblate\u0026rsquo;s web server logs for suspicious API requests targeting the user patching endpoint (\u003ccode\u003e/api/users/\u0026lt;user_id\u0026gt;\u003c/code\u003e) as described in the Attack Chain (use the Sigma rule provided below).\u003c/li\u003e\n\u003cli\u003eReview user account permissions and audit logs for any unexpected privilege escalations.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and authorization checks within the Weblate application to prevent similar vulnerabilities in the future.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-weblate-privilege-escalation/","summary":"Weblate versions prior to 5.17 are vulnerable to improper privilege management due to an API endpoint failing to properly limit the scope of edits, potentially leading to unauthorized modifications.","title":"Weblate Improper Privilege Management via API Endpoint (CVE-2026-34393)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","broken-access-control","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe wger application exposes a global configuration edit endpoint at \u003ccode\u003e/config/gym-config/edit\u003c/code\u003e that is vulnerable to broken access control. The vulnerability exists because the \u003ccode\u003eGymConfigUpdateView\u003c/code\u003e uses the wrong mixin (\u003ccode\u003eWgerFormMixin\u003c/code\u003e instead of \u003ccode\u003eWgerPermissionMixin\u003c/code\u003e), preventing proper enforcement of the \u003ccode\u003econfig.change_gymconfig\u003c/code\u003e permission. This allows a low-privileged authenticated user to modify the global \u003ccode\u003eGymConfig\u003c/code\u003e singleton (pk=1), triggering server-side side effects via the \u003ccode\u003eGymConfig.save()\u003c/code\u003e method. This vertical privilege escalation allows unauthorized modification of installation-wide state and bulk updates to other users’ records, violating the intended administrative trust boundary. The vulnerability affects wger versions 2.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the wger application with a low-privileged user account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the global configuration edit endpoint at \u003ccode\u003e/config/gym-config/edit\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server processes the request via the \u003ccode\u003eGymConfigUpdateView\u003c/code\u003e which inherits from \u003ccode\u003eWgerFormMixin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWgerFormMixin\u003c/code\u003e attempts to perform ownership checks but fails because \u003ccode\u003eGymConfig\u003c/code\u003e does not implement \u003ccode\u003eget_owner_object()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application allows the attacker to modify the \u003ccode\u003edefault_gym\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the form with a modified \u003ccode\u003edefault_gym\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGymConfig.save()\u003c/code\u003e method is called, updating \u003ccode\u003eUserProfile\u003c/code\u003e records with a gym set to null.\u003c/li\u003e\n\u003cli\u003eThe attacker has successfully modified installation-wide configuration, potentially bulk-updating user records and violating administrative trust boundaries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a low-privileged user to escalate privileges and modify global configuration settings. This could lead to unauthorized modification of user profiles and tenant assignments, affecting new registrations and existing users lacking a gym. On deployments with multiple gyms, this vulnerability can result in widespread data manipulation and a violation of the intended administrative trust boundary. The vulnerability affects wger deployments, impacting organizations that rely on the application for managing fitness and exercise data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by ensuring permission enforcement runs before the form dispatch. Implement the suggested code change in \u003ccode\u003ewger/config/views/gym_config.py\u003c/code\u003e using the project mixin by updating the inheritance order: \u003ccode\u003eclass GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView):\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;wger GymConfig Update by Low-Privilege User\u0026rdquo; to detect unauthorized modification of the GymConfig object via the \u003ccode\u003e/config/gym-config/edit\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/config/gym-config/edit\u003c/code\u003e endpoint originating from low-privileged user accounts, using the URL as an indicator.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:35:16Z","date_published":"2026-04-16T01:35:16Z","id":"/briefs/2024-01-09-wger-privesc/","summary":"The wger application has a broken access control vulnerability in the global gym configuration update endpoint, allowing low-privileged authenticated users to modify installation-wide configuration settings and escalate privileges.","title":"wger Broken Access Control in Global Gym Configuration Update Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-09-wger-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["oauth2-proxy","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuth2 Proxy is vulnerable to an authentication bypass (CVE-2026-34457) when configured with \u003ccode\u003eauth_request\u003c/code\u003e-style integration (e.g., nginx \u003ccode\u003eauth_request\u003c/code\u003e) and either the \u003ccode\u003e--ping-user-agent\u003c/code\u003e option is set or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled. This flaw allows an unauthenticated remote attacker to gain unauthorized access to protected upstream resources. The vulnerability exists because OAuth2 Proxy incorrectly treats requests with the configured health check \u003ccode\u003eUser-Agent\u003c/code\u003e value as legitimate health checks, irrespective of the requested path. This bypasses the normal login flow, granting access without proper authentication. Versions prior to v7.15.2 are affected, alongside versions \u0026lt;= 3.2.0. Defenders must take immediate action to remediate affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OAuth2 Proxy deployment utilizing \u003ccode\u003eauth_request\u003c/code\u003e and either \u003ccode\u003e--ping-user-agent\u003c/code\u003e or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker determines the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value or identifies that \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled (default User-Agent: GoogleHC/1.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request to a protected resource, setting the \u003ccode\u003eUser-Agent\u003c/code\u003e header to the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value (or \u0026ldquo;GoogleHC/1.0\u0026rdquo; if \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled).\u003c/li\u003e\n\u003cli\u003eThe reverse proxy (e.g., Nginx) forwards the request to the OAuth2 Proxy\u0026rsquo;s \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy incorrectly interprets the request as a health check due to the matching \u003ccode\u003eUser-Agent\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy responds to the reverse proxy with a 200 OK status, indicating successful authentication.\u003c/li\u003e\n\u003cli\u003eThe reverse proxy, believing the authentication was successful, forwards the attacker\u0026rsquo;s request to the protected upstream resource.\u003c/li\u003e\n\u003cli\u003eAttacker successfully accesses the protected resource without authenticating, achieving unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in complete authentication bypass, granting attackers unauthorized access to sensitive resources protected by OAuth2 Proxy. The number of affected deployments is unknown, but any organization using OAuth2 Proxy with the specified configurations is potentially at risk. This can lead to data breaches, service disruption, and other severe security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OAuth2 Proxy version \u003ccode\u003ev7.15.2\u003c/code\u003e or later to patch CVE-2026-34457.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e flag if it is enabled.\u003c/li\u003e\n\u003cli\u003eRemove any configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eImplement reverse proxy configurations, such as the provided Nginx example, to prevent forwarding client-controlled \u003ccode\u003eUser-Agent\u003c/code\u003e headers to the OAuth2 Proxy \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;OAuth2 Proxy Authentication Bypass Attempt\u0026rdquo; to detect malicious requests exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-oauth2-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-34457) exists in OAuth2 Proxy when used with `auth_request`-style integration and either `--ping-user-agent` is set or `--gcp-healthchecks` is enabled, allowing unauthenticated access to protected resources.","title":"OAuth2 Proxy Authentication Bypass via User-Agent Header","url":"https://feed.craftedsignal.io/briefs/2026-04-oauth2-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-65135"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2025-65135","school-management-system","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical time-based blind SQL injection vulnerability, identified as CVE-2025-65135, affects version 1.0 of the manikandan580 School-management-system. This vulnerability resides in the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e script and is exploitable through the \u003ccode\u003efromdate\u003c/code\u003e POST parameter. Given the nature of the vulnerability, attackers can potentially bypass authentication and execute arbitrary SQL queries on the back-end database. Successful exploitation could lead to unauthorized access to sensitive student data, administrative credentials, and other confidential information managed by the school system. This vulnerability poses a significant risk to educational institutions utilizing the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a manipulated \u003ccode\u003efromdate\u003c/code\u003e parameter containing a time-based blind SQL injection payload (e.g., \u003ccode\u003efromdate=1' AND SLEEP(5) -- -\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the crafted SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload executes a \u003ccode\u003eSLEEP()\u003c/code\u003e function or equivalent based on database type, causing a delay in the server\u0026rsquo;s response if the injected condition is true.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the server response time to infer the results of the injected SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the blind SQL injection technique to extract sensitive data from the database, such as usernames, passwords, and student records, character by character.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to gain unauthorized administrative access to the School-management-system, leading to potential data breaches and system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-65135 could result in a complete compromise of the manikandan580 School-management-system. Attackers could gain access to personally identifiable information (PII) of students, financial records, and other sensitive data. This data could be used for identity theft, financial fraud, or extortion. The vulnerable system could also be used as a launchpad for further attacks against other systems within the network. Due to the potential for widespread data breaches, this vulnerability represents a critical risk for schools and educational institutions using the affected software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates released by manikandan580 to address CVE-2025-65135.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection attacks on the \u003ccode\u003efromdate\u003c/code\u003e POST parameter in \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/studentms/admin/between-date-reprtsdetails.php\u003c/code\u003e containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-school-management-sqli/","summary":"A time-based blind SQL injection vulnerability in manikandan580 School-management-system 1.0 allows unauthenticated attackers to potentially execute arbitrary SQL queries and gain unauthorized access to sensitive information.","title":"manikandan580 School-management-system SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-school-management-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-63939"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-injection","web-application","cve-2025-63939"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-63939 is a SQL injection vulnerability found in anirudhkannan Grocery Store Management System version 1.0. The vulnerability resides in the \u003ccode\u003e/Grocery/search_products_itname.php\u003c/code\u003e script, specifically related to improper input handling of the \u003ccode\u003esitem_name\u003c/code\u003e POST parameter. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003esitem_name\u003c/code\u003e parameter, potentially leading to unauthorized access to the database, data exfiltration, modification, or even complete system compromise. The vulnerable software is a web application typically deployed on web servers, potentially exposing a wide range of grocery stores and related businesses to this critical flaw. This vulnerability was published on 2026-04-14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of anirudhkannan Grocery Store Management System 1.0 running on a web server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/Grocery/search_products_itname.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003esitem_name\u003c/code\u003e parameter, containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe web server receives the malicious request and passes the \u003ccode\u003esitem_name\u003c/code\u003e value to the vulnerable SQL query without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed by the database server, allowing the attacker to manipulate the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses SQL injection techniques (e.g., \u003ccode\u003eUNION SELECT\u003c/code\u003e, \u003ccode\u003eSLEEP()\u003c/code\u003e) to extract sensitive data, such as user credentials, product information, or financial records.\u003c/li\u003e\n\u003cli\u003eDepending on database privileges, the attacker could modify existing data (e.g., changing product prices, altering inventory levels) or insert new data (e.g., creating rogue administrator accounts).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the database, potentially leading to full system compromise, data exfiltration, or denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-63939 can have severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personal information, payment details, and order history. This can lead to financial losses, reputational damage, and legal liabilities for the affected grocery store. The attacker could also manipulate product information, alter pricing, or disrupt business operations. In a worst-case scenario, the attacker could gain complete control of the database server, leading to full system compromise and significant financial and operational losses. Given the widespread use of vulnerable versions, a large number of grocery stores using this software are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or updates provided by the vendor to address CVE-2025-63939. If a patch is unavailable, consider implementing a web application firewall (WAF) rule to filter out malicious SQL injection attempts targeting the \u003ccode\u003e/Grocery/search_products_itname.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting SQL Injection Attempts via sitem_name Parameter\u003c/code\u003e to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden database access controls to limit the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/Grocery/search_products_itname.php\u003c/code\u003e containing potentially malicious SQL syntax, as detected by \u003ccode\u003eDetecting SQL Injection Attempts via sitem_name Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect traffic for connections to the URL \u003ccode\u003ehttps://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939\u003c/code\u003e to identify potential reconnaissance activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T16:16:33Z","date_published":"2026-04-14T16:16:33Z","id":"/briefs/2026-04-grocery-store-sqli/","summary":"A critical SQL injection vulnerability (CVE-2025-63939) exists in the anirudhkannan Grocery Store Management System 1.0, allowing unauthenticated attackers to execute arbitrary SQL queries via the sitem_name POST parameter in /Grocery/search_products_itname.php.","title":"SQL Injection Vulnerability in anirudhkannan Grocery Store Management System 1.0 (CVE-2025-63939)","url":"https://feed.craftedsignal.io/briefs/2026-04-grocery-store-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6193"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-6193","php","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw has been identified in PHPGurukul Daily Expense Tracking System version 1.1. This vulnerability resides in the \u003ccode\u003e/register.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eemail\u003c/code\u003e argument. Successful exploitation enables remote SQL injection, potentially granting attackers unauthorized access to sensitive database information or allowing them to modify data. This vulnerability, identified as CVE-2026-6193, has a CVSS v3.1 score of 7.3, indicating a high level of severity. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of PHPGurukul Daily Expense Tracking System 1.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects SQL code into the \u003ccode\u003eemail\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code, potentially allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the initial SQL injection to escalate privileges within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially gain access to administrative credentials stored in the database.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker uses the compromised credentials to gain full control over the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to severe consequences. Attackers could gain unauthorized access to sensitive user data, including usernames, passwords, and financial information. This could result in identity theft, financial fraud, and reputational damage for both the organization and its users. The attacker could also modify or delete data, disrupt the application\u0026rsquo;s functionality, or even gain complete control of the server. Given the availability of a public exploit, the likelihood of attacks is significantly increased.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by PHPGurukul to address CVE-2026-6193.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts in PHPGurukul Registration\u0026rdquo; to identify exploitation attempts targeting the \u003ccode\u003e/register.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on the \u003ccode\u003eemail\u003c/code\u003e parameter in \u003ccode\u003e/register.php\u003c/code\u003e to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL syntax in the \u003ccode\u003eemail\u003c/code\u003e parameter, which could indicate an attempted SQL injection (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads targeting \u003ccode\u003e/register.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-php-gurukul-sqli/","summary":"A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.","title":"PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-php-gurukul-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xxe","cve-2026-40042","pachno","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePachno 1.0.6 is susceptible to an XML External Entity (XXE) injection vulnerability, identified as CVE-2026-40042. This flaw resides in the TextParser helper component, where unsafe XML parsing occurs. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server. The attack involves injecting malicious XML entities into various parts of the application, including wiki table syntax, issue descriptions, comments, and wiki articles. The vulnerability is triggered by the use of the simplexml_load_string() function without proper restrictions (LIBXML_NONET), enabling the resolution of external entities. This issue poses a significant risk as it allows unauthorized access to sensitive data stored on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Pachno 1.0.6 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload containing an external entity declaration. This payload aims to read a sensitive file on the server, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious XML payload into a wiki page, issue description, or comment using wiki table syntax or inline tags.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s TextParser helper processes the injected content using simplexml_load_string() without the LIBXML_NONET flag.\u003c/li\u003e\n\u003cli\u003eThe XML parser attempts to resolve the external entity, initiating a request to read the specified file.\u003c/li\u003e\n\u003cli\u003eThe targeted file\u0026rsquo;s contents are embedded into the XML response due to the XXE vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the parsed XML response, which now contains the content of the targeted file, thus achieving unauthorized file access.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to access other sensitive files, potentially gaining critical information about the system and its configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability (CVE-2026-40042) in Pachno 1.0.6 allows an unauthenticated attacker to read arbitrary files from the server. The impact can range from exposing sensitive configuration files and application code to potentially gaining access to user credentials or other confidential data. This information could be used for further malicious activities, such as lateral movement within the network or data exfiltration. Given the ease of exploitation and the potential for significant data leakage, this vulnerability represents a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Pachno that addresses CVE-2026-40042 by implementing proper XML parsing and disabling external entity resolution.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent the injection of malicious XML payloads into wiki pages, issue descriptions, and comments.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing XML entity declarations, which may indicate attempted exploitation of this vulnerability. See the provided Sigma rule for guidance.\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003ewww.vulncheck.com\u003c/code\u003e and \u003ccode\u003ewww.zeroscience.mk\u003c/code\u003e at the network level to prevent access to related advisory information, hindering attacker reconnaissance.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-pachno-xxe/","summary":"Pachno 1.0.6 is vulnerable to XML external entity injection, allowing unauthenticated attackers to read arbitrary files by injecting malicious XML entities into wiki content due to unsafe XML parsing in the TextParser helper.","title":"Pachno 1.0.6 XML External Entity Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pachno-xxe/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-6182"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in code-projects Simple Content Management System (CMS) version 1.0. The vulnerability resides in the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e file and stems from improper sanitization of user-supplied input within the \u003ccode\u003eUser\u003c/code\u003e argument. An unauthenticated, remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploits exist, increasing the risk of widespread exploitation. Given the simplicity of the targeted software, many small businesses or personal websites could be running vulnerable instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a publicly accessible instance of Simple Content Management System 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003eUser\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious payload to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL commands, allowing the attacker to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized administrative access to the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the CMS content or extracts sensitive data from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may install a web shell for persistent access and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers unauthorized access to the Simple Content Management System 1.0. This can lead to sensitive data exfiltration, modification of website content (defacement), or complete takeover of the underlying server. The vulnerable software is likely used by individuals or small businesses, potentially leading to a significant impact on their online presence and data security. Given the public availability of exploits, mass exploitation is a realistic threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/web/admin/login.php\u003c/code\u003e containing suspicious characters or SQL keywords in the \u003ccode\u003eUser\u003c/code\u003e parameter to detect potential exploitation attempts (see rule: \u0026ldquo;Detect SQL Injection Attempts in Simple CMS Login\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual database errors originating from \u003ccode\u003e/web/admin/login.php\u003c/code\u003e, which may indicate successful SQL injection (see rule: \u0026ldquo;Detect Simple CMS SQL Injection Errors\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, particularly within the \u003ccode\u003e/web/admin/login.php\u003c/code\u003e script, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eOrganizations using code-projects Simple Content Management System 1.0 should consider migrating to a more secure platform or applying security patches if available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T15:17:49Z","date_published":"2026-04-13T15:17:49Z","id":"/briefs/2026-04-simple-cms-sqli/","summary":"A remote SQL injection vulnerability exists in code-projects Simple Content Management System 1.0, specifically affecting the /web/admin/login.php file where manipulation of the 'User' argument allows unauthenticated attackers to execute arbitrary SQL queries.","title":"SQL Injection Vulnerability in Simple Content Management System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-cms-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6167"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe code-projects Faculty Management System 1.0 is vulnerable to SQL injection (CVE-2026-6167) within the \u003ccode\u003e/subject-print.php\u003c/code\u003e file. The vulnerability stems from improper sanitization of the \u003ccode\u003eID\u003c/code\u003e argument, allowing a remote attacker to inject arbitrary SQL commands. This exploit has been publicly disclosed, increasing the risk of widespread exploitation. Given the sensitive nature of data managed by faculty management systems, successful exploitation could lead to significant data breaches, system compromise, and disruption of academic operations. The lack of required authentication to trigger the vulnerability makes it particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of code-projects Faculty Management System 1.0 accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/subject-print.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a modified \u003ccode\u003eID\u003c/code\u003e parameter containing SQL injection payloads. For example, \u003ccode\u003eID=1' OR '1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the unsanitized \u003ccode\u003eID\u003c/code\u003e parameter to the underlying SQL database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed by the database, potentially allowing the attacker to bypass authentication or access unauthorized data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive data from the database, such as usernames, passwords, student records, or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted credentials to gain administrative access to the application.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker could modify or delete data within the database, exfiltrate data, or pivot to other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-6167) in code-projects Faculty Management System 1.0 can lead to severe consequences. An attacker could potentially access and exfiltrate sensitive student and faculty data, modify grades, compromise user accounts, and disrupt academic operations. The public availability of the exploit increases the likelihood of widespread attacks targeting vulnerable systems, potentially impacting numerous educational institutions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious HTTP requests targeting \u003ccode\u003e/subject-print.php\u003c/code\u003e with unusual characters or SQL keywords in the \u003ccode\u003eID\u003c/code\u003e parameter to detect potential exploitation attempts. Use the provided Sigma rule to facilitate this.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to block requests containing SQL injection payloads targeting \u003ccode\u003e/subject-print.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003e/subject-print.php\u003c/code\u003e to prevent SQL injection, effectively patching CVE-2026-6167.\u003c/li\u003e\n\u003cli\u003eMonitor database logs for unusual queries originating from the web application server that could indicate successful SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T07:16:51Z","date_published":"2026-04-13T07:16:51Z","id":"/briefs/2026-04-faculty-mgmt-sqli/","summary":"A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6167) in the code-projects Faculty Management System 1.0 by manipulating the ID argument in the /subject-print.php file, potentially leading to data exfiltration or modification.","title":"SQL Injection Vulnerability in Faculty Management System","url":"https://feed.craftedsignal.io/briefs/2026-04-faculty-mgmt-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6165"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","cve-2026-6165"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6165 identifies an SQL injection vulnerability within the code-projects Vehicle Showroom Management System version 1.0. The vulnerability resides in the \u003ccode\u003e/util/Login_check.php\u003c/code\u003e file and can be exploited by manipulating the \u003ccode\u003eID\u003c/code\u003e argument. Successful exploitation allows attackers to inject malicious SQL queries, potentially gaining unauthorized access to sensitive data, modifying database contents, or even executing arbitrary commands on the underlying server. As a publicly available exploit exists, the risk of exploitation is elevated, making it crucial for organizations using this software to implement mitigation measures. The scope of this vulnerability impacts any deployment of the affected Vehicle Showroom Management System version 1.0 exposed to network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Vehicle Showroom Management System 1.0 instance exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/util/Login_check.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003eID\u003c/code\u003e parameter of the HTTP request, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe web application processes the malicious SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify database entries, such as altering prices or inventory.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially leverage the SQL injection to gain code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6165 can lead to a range of severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personally identifiable information (PII) and financial details. Data breaches can result in significant financial losses, reputational damage, and legal liabilities. Furthermore, the ability to modify database contents could lead to manipulated sales figures, altered inventory, or even complete disruption of business operations. The vulnerability\u0026rsquo;s potential for remote code execution poses the highest risk, allowing attackers to establish a persistent foothold within the organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the \u003ccode\u003eID\u003c/code\u003e parameter in \u003ccode\u003e/util/Login_check.php\u003c/code\u003e to prevent SQL injection (CVE-2026-6165).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious HTTP requests targeting \u003ccode\u003e/util/Login_check.php\u003c/code\u003e with potential SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) to filter malicious traffic and block known SQL injection patterns.\u003c/li\u003e\n\u003cli\u003eRegularly audit and patch all software components to address known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and potential signs of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T06:17:51Z","date_published":"2026-04-13T06:17:51Z","id":"/briefs/2026-04-vehicle-showroom-sqli/","summary":"A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6165) in code-projects Vehicle Showroom Management System 1.0 by manipulating the ID parameter in /util/Login_check.php, potentially leading to unauthorized data access and modification.","title":"SQL Injection Vulnerability in Vehicle Showroom Management System 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-vehicle-showroom-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6163"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical SQL injection vulnerability has been identified in code-projects Lost and Found Thing Management version 1.0, tracked as CVE-2026-6163. This vulnerability resides within the \u003ccode\u003e/catageory.php\u003c/code\u003e file and can be exploited by remotely manipulating the \u003ccode\u003ecat\u003c/code\u003e parameter. Due to the application\u0026rsquo;s failure to properly sanitize user-supplied input, an attacker can inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of Lost and Found Thing Management 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/catageory.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003ecat\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe web server receives the request and passes the unsanitized \u003ccode\u003ecat\u003c/code\u003e parameter to the application\u0026rsquo;s database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed within the database context.\u003c/li\u003e\n\u003cli\u003eDepending on the injected code, the attacker can read sensitive data, modify existing records, or delete information from the database.\u003c/li\u003e\n\u003cli\u003eThe database server processes the malicious SQL query and returns the output.\u003c/li\u003e\n\u003cli\u003eThe application returns the modified output to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-6163) could allow a remote attacker to compromise the affected Lost and Found Thing Management 1.0 application. This may lead to unauthorized access to sensitive information stored within the database, such as user credentials, personal details of individuals who have lost or found items, and information about the items themselves. The attacker can potentially modify or delete records, leading to data corruption or denial of service. Due to the availability of a public exploit, the potential impact is significant for any organization running this vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates provided by the vendor (code-projects.org) to remediate the SQL injection vulnerability in \u003ccode\u003e/catageory.php\u003c/code\u003e as soon as they become available.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data, particularly the \u003ccode\u003ecat\u003c/code\u003e parameter in \u003ccode\u003e/catageory.php\u003c/code\u003e, to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts via URI\u0026rdquo; to detect potential exploitation attempts against the \u003ccode\u003e/catageory.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and restrict database user privileges to follow the principle of least privilege, limiting the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/catageory.php\u003c/code\u003e endpoint, such as unusual characters or SQL keywords in the \u003ccode\u003ecat\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T06:16:06Z","date_published":"2026-04-13T06:16:06Z","id":"/briefs/2026-04-lost-found-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-6163) exists in code-projects Lost and Found Thing Management 1.0 via manipulation of the 'cat' parameter in /catageory.php, potentially allowing attackers to read, modify, or delete database information.","title":"SQL Injection Vulnerability in Lost and Found Thing Management 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-lost-found-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6161"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2026-6161"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical SQL injection vulnerability, identified as CVE-2026-6161, has been discovered in Simple ChatBox version 1.0 and earlier. This flaw resides in the \u003ccode\u003e/chatbox/insert.php\u003c/code\u003e file, which is responsible for handling chat message insertion. A remote attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003emsg\u003c/code\u003e parameter of an HTTP request, without needing authentication. The attacker\u0026rsquo;s malicious SQL commands are then executed against the application database. The exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation could lead to unauthorized data access, modification, or even complete database takeover. Due to the ease of exploitation and potential impact, this vulnerability poses a significant threat to systems running vulnerable versions of Simple ChatBox.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Simple ChatBox installation running version 1.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/chatbox/insert.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003emsg\u003c/code\u003e parameter of the POST request. This code could be designed to extract data, modify existing data, or insert new data into the database.\u003c/li\u003e\n\u003cli\u003eThe web server receives the malicious HTTP request and passes the \u003ccode\u003emsg\u003c/code\u003e parameter to the vulnerable PHP script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/chatbox/insert.php\u003c/code\u003e script fails to properly sanitize the \u003ccode\u003emsg\u003c/code\u003e parameter before using it in an SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the Simple ChatBox database, granting the attacker unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker may use this access to read sensitive data, such as user credentials or private messages.\u003c/li\u003e\n\u003cli\u003eThe attacker could also modify data to deface the chatbox or inject malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6161 can lead to a range of severe consequences. An attacker can gain unauthorized access to the Simple ChatBox database, potentially compromising sensitive information such as user credentials, private messages, and other application data. This can result in data breaches, identity theft, and reputational damage. Furthermore, the attacker could modify or delete data, leading to data loss or service disruption. In the worst-case scenario, the attacker could gain complete control over the database server, potentially compromising other applications or systems hosted on the same server. Due to the public availability of the exploit, unpatched Simple ChatBox installations are at significant risk of being targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the \u003ccode\u003emsg\u003c/code\u003e parameter within the \u003ccode\u003e/chatbox/insert.php\u003c/code\u003e file to prevent SQL injection (reference: CVE-2026-6161).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious HTTP requests targeting \u003ccode\u003e/chatbox/insert.php\u003c/code\u003e with potentially malicious SQL payloads (reference: the Sigma rule \u0026ldquo;Detect Simple Chatbox SQL Injection Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement database access controls to limit the privileges of the Simple ChatBox application to the minimum required for its operation, mitigating potential damage from successful SQL injection (reference: CVE-2026-6161).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T05:16:05Z","date_published":"2026-04-13T05:16:05Z","id":"/briefs/2026-04-simple-chatbox-sql-injection/","summary":"CVE-2026-6161 is an unauthenticated SQL injection vulnerability in the Simple ChatBox application (\u003c= 1.0) that can be exploited by sending a crafted HTTP request to `/chatbox/insert.php`.","title":"Simple ChatBox Unauthenticated SQL Injection Vulnerability (CVE-2026-6161)","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-chatbox-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2019-25713"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2019-25713"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMyT-PM 1.5.1 is susceptible to an SQL injection vulnerability (CVE-2019-25713) that enables authenticated attackers to execute arbitrary SQL queries. This vulnerability exists due to insufficient input sanitization of the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter. By sending specially crafted POST requests to the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint, an attacker can inject malicious SQL code, potentially leading to sensitive data extraction, data manipulation, or other unauthorized actions. This vulnerability poses a significant risk to organizations using MyT-PM 1.5.1 as it could compromise the integrity and confidentiality of their data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MyT-PM 1.5.1 application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker injects SQL code into the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without properly sanitizing the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive data (e.g., user credentials, financial information) using error-based, time-based blind, or stacked query payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may further manipulate data within the database, potentially altering records or creating new entries.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the database, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive information, such as user credentials, financial records, and other confidential data stored within the MyT-PM database. Attackers may also be able to modify or delete data, leading to data integrity issues and potential disruption of business operations. This could result in financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a secure version of MyT-PM that addresses CVE-2019-25713.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potentially malicious requests containing SQL injection attempts targeting the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint and the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection vulnerabilities in MyT-PM and other web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/charge/admin\u003c/code\u003e with unusual characters or SQL keywords in the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:34Z","date_published":"2026-04-12T13:16:34Z","id":"/briefs/2026-04-mytpm-sqli/","summary":"MyT-PM 1.5.1 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries via the Charge[group_total] parameter.","title":"MyT-PM 1.5.1 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mytpm-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2019-25710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2019-25710","dolibarr","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDolibarr ERP-CRM is a popular open-source enterprise resource planning and customer relationship management software. Version 8.0.4 of Dolibarr is susceptible to a critical SQL injection vulnerability (CVE-2019-25710) affecting the \u003ccode\u003erowid\u003c/code\u003e parameter in the \u003ccode\u003eadmin dict.php\u003c/code\u003e endpoint. This flaw allows unauthenticated attackers to inject malicious SQL code through the \u003ccode\u003erowid\u003c/code\u003e POST parameter. Successful exploitation enables attackers to execute arbitrary SQL queries against the Dolibarr database, potentially leading to the exposure of sensitive information, modification of data, or complete compromise of the application. This vulnerability can be exploited using error-based SQL injection techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Dolibarr ERP-CRM instance running version 8.0.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003erowid\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and executes the injected SQL code within the database query.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages error-based SQL injection techniques to extract sensitive information from the database, such as user credentials, API keys, or financial data.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the error messages returned by the application to refine the SQL injection payload and bypass any security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially uses the extracted credentials to gain unauthorized access to other parts of the application or the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive data, data breaches, and complete compromise of the Dolibarr ERP-CRM system. The vulnerability allows attackers to extract sensitive database information, modify data, or potentially execute arbitrary code on the server. Given that ERP and CRM systems often contain critical business data, the impact can be significant for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a secure version of Dolibarr ERP-CRM to remediate CVE-2019-25710.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Dolibarr rowid Parameter SQL Injection Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts against the \u003ccode\u003eadmin/dict.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003eadmin/dict.php\u003c/code\u003e with suspicious characters or SQL keywords in the \u003ccode\u003erowid\u003c/code\u003e parameter to detect potential attacks.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out malicious SQL injection payloads targeting the \u003ccode\u003erowid\u003c/code\u003e parameter in \u003ccode\u003eadmin/dict.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:34Z","date_published":"2026-04-12T13:16:34Z","id":"/briefs/2026-04-dolibarr-sqli/","summary":"Dolibarr ERP-CRM 8.0.4 is vulnerable to SQL injection via the rowid parameter in the admin dict.php endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dolibarr-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2019-25707"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2019-25707"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eeBrigade ERP 4.5 is susceptible to an SQL injection vulnerability (CVE-2019-25707) that enables authenticated attackers to execute arbitrary SQL queries. The vulnerability is located in the pdf.php script and is triggered via the \u0026lsquo;id\u0026rsquo; parameter. By injecting malicious SQL code into this parameter through a GET request, an attacker can potentially extract sensitive information from the database, including table names and schema details. This vulnerability poses a significant risk to organizations using eBrigade ERP 4.5, as successful exploitation could lead to data breaches, compromised credentials, and other malicious activities. The vulnerability was published on 2026-04-12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for eBrigade ERP 4.5 either through credential stuffing or some other credential compromise technique.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to extract sensitive information or manipulate the database.\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a GET request targeting the pdf.php endpoint, embedding the malicious SQL payload within the \u0026lsquo;id\u0026rsquo; parameter (e.g., \u003ccode\u003epdf.php?id=1' UNION SELECT ...\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize or validate the \u0026lsquo;id\u0026rsquo; parameter before incorporating it into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the injected SQL query to the application.\u003c/li\u003e\n\u003cli\u003eThe application displays the extracted data to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted data (database schema, usernames, passwords, etc.) to further compromise the application or gain unauthorized access to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2019-25707) can lead to the extraction of sensitive information from the eBrigade ERP 4.5 database. This could include customer data, financial records, employee information, and other confidential data. The impact could range from data breaches and financial losses to reputational damage and legal repercussions. While the exact number of victims is unknown, any organization using eBrigade ERP 4.5 is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server access logs for suspicious GET requests to \u003ccode\u003epdf.php\u003c/code\u003e containing SQL syntax in the \u003ccode\u003eid\u003c/code\u003e parameter to detect exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u0026lsquo;id\u0026rsquo; parameter in \u003ccode\u003epdf.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of eBrigade ERP or apply the necessary security patches provided by the vendor to remediate CVE-2019-25707.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual database activity originating from the eBrigade ERP 4.5 server.\u003c/li\u003e\n\u003cli\u003eBlock access to the known exploit URL (\u003ccode\u003ehttps://www.exploit-db.com/exploits/46117\u003c/code\u003e) at your web proxy or firewall.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:33Z","date_published":"2026-04-12T13:16:33Z","id":"/briefs/2026-04-ebrigade-sql-injection/","summary":"eBrigade ERP 4.5 is vulnerable to SQL injection via the 'id' parameter in pdf.php, allowing authenticated attackers to execute arbitrary SQL queries and extract sensitive database information.","title":"eBrigade ERP 4.5 SQL Injection Vulnerability (CVE-2019-25707)","url":"https://feed.craftedsignal.io/briefs/2026-04-ebrigade-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6126"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-6126","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-6126, has been discovered in zhayujie chatgpt-on-wechat CowAgent version 2.0.4. This flaw resides within an unspecified function of the Administrative HTTP Endpoint component. Successful exploitation of this vulnerability allows remote attackers to bypass authentication mechanisms, potentially leading to unauthorized access and control over the affected system. The vulnerability is due to missing authentication checks on a critical function. Publicly available exploits exist, increasing the likelihood of exploitation. The project maintainers were notified; however, there has been no response at the time of this writing. This poses a significant risk to any deployment of chatgpt-on-wechat CowAgent 2.0.4 accessible over a network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent 2.0.4.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the Administrative HTTP Endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses authentication due to the missing authentication vulnerability (CVE-2026-6126).\u003c/li\u003e\n\u003cli\u003eThe request executes an unauthorized administrative function.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive data or configuration.\u003c/li\u003e\n\u003cli\u003eAttacker deploys a persistent backdoor for long-term access.\u003c/li\u003e\n\u003cli\u003eAttacker uses the backdoor to pivot to other systems or networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6126 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This may enable attackers to access sensitive data, modify configurations, or disrupt services. Given that the application integrates with WeChat, a successful attack might expose sensitive user data or allow the attacker to conduct further attacks via the compromised instance. Due to the ease of exploitation and public availability of exploit code, the risk is considered high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for zhayujie chatgpt-on-wechat CowAgent to address CVE-2026-6126 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the Administrative HTTP Endpoint using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised CowAgent instance.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block exploit attempts targeting CVE-2026-6126.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of the chatgpt-on-wechat CowAgent deployment to identify and remediate potential vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T11:16:16Z","date_published":"2026-04-12T11:16:16Z","id":"/briefs/2026-04-cowagent-auth-bypass/","summary":"CVE-2026-6126 is an unauthenticated remote code execution vulnerability in zhayujie chatgpt-on-wechat CowAgent 2.0.4 due to missing authentication in the Administrative HTTP Endpoint.","title":"zhayujie chatgpt-on-wechat CowAgent Authentication Bypass Vulnerability (CVE-2026-6126)","url":"https://feed.craftedsignal.io/briefs/2026-04-cowagent-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31940"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["session-fixation","web-application","cve-2026-31940"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is susceptible to a session fixation vulnerability (CVE-2026-31940) in versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability stems from the application\u0026rsquo;s handling of user-controlled request parameters in the \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e file. Specifically, these parameters are used directly to set the PHP session ID before the global bootstrap is loaded. This allows an attacker to potentially set a predictable session ID for a user, leading to session hijacking. The vulnerability was reported and patched, with fixes available in versions 1.11.38 and 2.0.0-RC.3. This is important for defenders to address to ensure integrity and confidentiality of user sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL or form containing a specific session ID.\u003c/li\u003e\n\u003cli\u003eAttacker lures a victim to access the crafted URL or form.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends a request to the Chamilo LMS server with the attacker-controlled session ID.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS application, specifically the \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e script, uses the attacker-provided session ID to initialize the PHP session.\u003c/li\u003e\n\u003cli\u003eThe victim authenticates to the Chamilo LMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the predetermined session ID to access the victim\u0026rsquo;s authenticated session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the victim\u0026rsquo;s account and associated data within the Chamilo LMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to hijack legitimate user sessions on a Chamilo LMS instance. This could result in unauthorized access to sensitive student or instructor data, modification of course content, or other malicious activities. The impact is high, particularly for educational institutions and organizations that rely on Chamilo LMS for their online learning platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e containing unusual session ID parameters. Use the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Potentially Malicious Session ID Parameter\u0026rdquo; Sigma rule to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T14:30:00Z","date_published":"2026-04-11T14:30:00Z","id":"/briefs/2026-04-chamilo-session-fixation/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to session fixation due to user-controlled request parameters being used to set the PHP session ID, potentially allowing attackers to hijack user sessions.","title":"Chamilo LMS Session Fixation Vulnerability (CVE-2026-31940)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-session-fixation/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40185"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-40185","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTREK is a collaborative travel planning application. Prior to version 2.7.2, a critical vulnerability existed within the application related to authorization checks. Specifically, the Immich trip photo management routes lacked proper authorization checks. This flaw, identified as CVE-2026-40185, could potentially allow unauthorized users to access and manipulate trip photos if exploited. The vulnerability was reported by GitHub, Inc. and patched in version 2.7.2 of TREK. Defenders should ensure they are running version 2.7.2 or later of the TREK application to mitigate this risk. This vulnerability affects systems running the vulnerable versions of the TREK application and could impact the confidentiality and integrity of user data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable TREK instance running a version prior to 2.7.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization checks, the attacker bypasses authentication requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to trip photos.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete trip photos, impacting data integrity.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed data to gather sensitive information about the trip and its participants.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially upload malicious images to the photo storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40185 can lead to unauthorized access and modification of trip photos within the TREK travel planner application. While the exact number of affected users is unknown, any TREK instance running a version prior to 2.7.2 is susceptible. This could result in a breach of confidentiality, potential data manipulation, and reputational damage for the application. Sectors that rely on collaborative travel planning may be particularly affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all TREK instances to version 2.7.2 or later to remediate CVE-2026-40185.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious TREK Photo Route Access\u003c/code\u003e to detect potential exploitation attempts targeting the vulnerable photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns or connections to the TREK server that might indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-trek-auth-bypass/","summary":"TREK collaborative travel planner before version 2.7.2 is vulnerable to missing authorization checks on the Immich trip photo management routes, potentially allowing unauthorized access to trip photos.","title":"TREK Travel Planner Missing Authorization Vulnerability (CVE-2026-40185)","url":"https://feed.craftedsignal.io/briefs/2026-04-trek-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dotnetnuke","xss","svg","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDotNetNuke.Core versions prior to 10.2.2 are vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by uploading a malicious SVG file to the DotNetNuke server. This file contains embedded JavaScript that executes when the SVG is processed and displayed by the application. Successful exploitation requires a user to interact with the uploaded SVG file, which then triggers the malicious script execution. This poses a significant risk as the injected scripts can target both authenticated and unauthenticated users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. This vulnerability was published on April 10, 2026, and patched in version 10.2.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SVG file containing embedded JavaScript code designed for XSS exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker, with low privileges, uploads the malicious SVG file to the DotNetNuke server through a file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe server stores the SVG file, making it accessible to other users.\u003c/li\u003e\n\u003cli\u003eA user (either authenticated or unauthenticated) navigates to the location where the SVG file is stored or displayed.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser processes the SVG file, triggering the execution of the embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes within the user\u0026rsquo;s browser session, gaining access to cookies, session tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker steals user\u0026rsquo;s cookies and session tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen session tokens to hijack the user\u0026rsquo;s session, perform unauthorized actions, and potentially escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user\u0026rsquo;s session. This can lead to sensitive information disclosure, such as stealing user credentials or session cookies. An attacker can then hijack user sessions, perform unauthorized actions on their behalf, and potentially gain elevated privileges within the DotNetNuke application. Due to the nature of stored XSS, the impact can be widespread, affecting any user who interacts with the malicious SVG file until the vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DotNetNuke.Core to version 10.2.2 or later to patch the XSS vulnerability (reference: Affected versions).\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to sanitize uploaded SVG files and prevent the injection of malicious scripts (reference: Description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to upload SVG files containing JavaScript code (reference: Sigma rule \u0026ldquo;Detect SVG Upload with Embedded JavaScript\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConfigure web application firewalls (WAFs) to inspect and block suspicious SVG uploads based on content analysis (reference: Description).\u003c/li\u003e\n\u003cli\u003eEnable logging for file uploads to track potential malicious activity (reference: logsource category \u0026ldquo;file_event\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-dotnetnuke-xss/","summary":"DotNetNuke.Core is vulnerable to stored cross-site scripting (XSS) where a user can upload a specially crafted SVG file containing malicious scripts, potentially targeting both authenticated and unauthenticated DNN users, with successful exploitation requiring user interaction and leading to high impact on confidentiality, integrity, and availability.","title":"DotNetNuke.Core Stored XSS via SVG Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnetnuke-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-29002"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","cve"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-29002 identifies a privilege escalation vulnerability in CouchCMS. This flaw allows authenticated users with Admin-level privileges to elevate their access to SuperAdmin by tampering with the \u003ccode\u003ef_k_levels_list\u003c/code\u003e parameter during the user creation process. By modifying the value of this parameter from \u0026ldquo;4\u0026rdquo; to \u0026ldquo;10\u0026rdquo; in the HTTP request body, an attacker can bypass authorization checks, effectively circumventing restrictions on SuperAdmin account creation and privilege assignment. This vulnerability allows the attacker to gain complete control over the CouchCMS application. Successful exploitation requires valid Admin-level credentials and the ability to modify HTTP request parameters.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid Admin-level credentials for a CouchCMS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the user creation page within the CouchCMS admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the HTTP request generated when submitting the user creation form.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003ef_k_levels_list\u003c/code\u003e parameter in the HTTP request body, changing its value from \u0026ldquo;4\u0026rdquo; (Admin) to \u0026ldquo;10\u0026rdquo; (SuperAdmin).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the modified HTTP request to the CouchCMS server.\u003c/li\u003e\n\u003cli\u003eThe CouchCMS server, due to insufficient authorization validation, creates a new user account with SuperAdmin privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in with the newly created SuperAdmin account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the CouchCMS application, including the ability to modify system settings, access sensitive data, and potentially compromise the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29002 leads to complete compromise of the CouchCMS application. An attacker with SuperAdmin privileges can access and modify any data within the CMS, potentially defacing websites, stealing sensitive information, or disrupting services. The vulnerability affects all CouchCMS installations where user creation is enabled and accessible to Admin-level users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of CouchCMS that addresses CVE-2026-29002.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CouchCMS SuperAdmin Creation via Parameter Tampering\u003c/code\u003e to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the user creation endpoint with a modified \u003ccode\u003ef_k_levels_list\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and authorization checks on the server-side to prevent unauthorized modification of user privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-couchcms-privesc/","summary":"CouchCMS is vulnerable to privilege escalation, allowing authenticated Admin-level users to create SuperAdmin accounts by manipulating the 'f_k_levels_list' parameter during user creation, granting them full application control.","title":"CouchCMS Privilege Escalation via f_k_levels_list Parameter Manipulation (CVE-2026-29002)","url":"https://feed.craftedsignal.io/briefs/2026-04-couchcms-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","CVE-2026-33706"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33706 affects Chamilo LMS, a learning management system. Prior to version 1.11.38, the vulnerability allows an authenticated user, specifically a student (status=5), with a valid REST API key, to elevate their privileges. This is achieved by exploiting the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint in the REST API. By sending a crafted request, a student can modify their user status to Teacher/CourseManager (status=1). This privilege escalation grants the attacker the ability to create and manage courses, access sensitive data, and potentially disrupt the learning environment. The vulnerability has been patched in version 1.11.38, so upgrading is strongly recommended. This vulnerability highlights the importance of proper access controls and input validation in web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains valid credentials for a student account within the Chamilo LMS.\u003c/li\u003e\n\u003cli\u003eAttacker generates a REST API key associated with their student account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the attacker\u0026rsquo;s username and a modified status value (e.g., from 5 to 1) within the request body.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the Chamilo LMS server, authenticating with their REST API key.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS server, lacking proper authorization checks, updates the attacker\u0026rsquo;s user status in the database.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and then logs back in to the Chamilo LMS.\u003c/li\u003e\n\u003cli\u003eUpon re-authentication, the attacker now has Teacher/CourseManager privileges, enabling them to create and manage courses, access student data, and modify system settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33706 allows a student to gain administrative control over the Chamilo LMS platform. This can lead to unauthorized course creation, modification of student grades, data theft, and disruption of the learning environment. The number of potential victims depends on the number of Chamilo LMS instances running a vulnerable version (prior to 1.11.38). If successful, an attacker could potentially compromise the entire learning platform and its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-33706.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and regularly audit user permissions to prevent unauthorized privilege escalation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003eupdate_user_from_username\u003c/code\u003e endpoint (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts in real-time.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-privesc/","summary":"Chamilo LMS before 1.11.38 allows authenticated users with a REST API key to escalate their privileges by modifying their user status via the update_user_from_username endpoint, potentially granting unauthorized course management capabilities.","title":"Chamilo LMS Privilege Escalation via REST API (CVE-2026-33706)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-32252"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chartbrew","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChartbrew, an open-source web application used for creating charts from databases and APIs, is vulnerable to a cross-tenant authorization bypass (CVE-2026-32252) in versions prior to 4.9.0. This vulnerability resides in the GET /team/:team_id/template/generate/:project_id endpoint. Specifically, the \u003ccode\u003echeckAccess\u003c/code\u003e function doesn\u0026rsquo;t await its promise and fails to validate if the \u003ccode\u003eproject_id\u003c/code\u003e belongs to the specified \u003ccode\u003eteam_id\u003c/code\u003e or the attacker\u0026rsquo;s team. This allows an authenticated attacker with template generation permissions in their own team to request and receive template model data for projects belonging to other teams. Upgrading to version 4.9.0 or later resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eteam_id\u003c/code\u003e belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eproject_id\u003c/code\u003e belonging to the victim team. This may require some level of prior knowledge or reconnaissance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a GET request to \u003ccode\u003e/team/:victim_team_id/template/generate/:victim_project_id\u003c/code\u003e, replacing \u003ccode\u003e:victim_team_id\u003c/code\u003e and \u003ccode\u003e:victim_project_id\u003c/code\u003e with the identified values.\u003c/li\u003e\n\u003cli\u003eThe Chartbrew server receives the request and calls the \u003ccode\u003echeckAccess\u003c/code\u003e function, but does not await the promise.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation of the \u003ccode\u003eproject_id\u003c/code\u003e against the \u003ccode\u003eteam_id\u003c/code\u003e and the caller\u0026rsquo;s team, the authorization check is bypassed.\u003c/li\u003e\n\u003cli\u003eThe server retrieves the template model data associated with the victim\u0026rsquo;s project.\u003c/li\u003e\n\u003cli\u003eThe server returns the victim\u0026rsquo;s project data to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim\u0026rsquo;s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Chartbrew Template Generation Request\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests to the \u003ccode\u003e/team/*/template/generate/*\u003c/code\u003e endpoint using a WAF or similar tool.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:16:21Z","date_published":"2026-04-10T20:16:21Z","id":"/briefs/2024-01-03-chartbrew-auth-bypass/","summary":"Chartbrew versions prior to 4.9.0 are vulnerable to a cross-tenant authorization bypass, allowing an authenticated attacker to access project data belonging to other teams.","title":"Chartbrew Cross-Tenant Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chartbrew-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6038"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6038","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-6038, has been discovered in version 1.0 of the code-projects Vehicle Showroom Management System. This vulnerability resides within the \u003ccode\u003e/util/RegisterCustomerFunction.php\u003c/code\u003e file, and can be exploited by manipulating the \u003ccode\u003eBRANCH_ID\u003c/code\u003e argument. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the system. Publicly available exploit code exists, increasing the likelihood of exploitation. Successful exploitation could allow an attacker to read, modify, or delete sensitive data within the application\u0026rsquo;s database. This vulnerability was published on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of Vehicle Showroom Management System 1.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting \u003ccode\u003e/util/RegisterCustomerFunction.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003eBRANCH_ID\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eBRANCH_ID\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is incorporated into a SQL query executed by the application.\u003c/li\u003e\n\u003cli\u003eThe SQL injection payload manipulates the query to extract sensitive data or modify database records.\u003c/li\u003e\n\u003cli\u003eThe application returns the results of the manipulated query to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6038 can lead to unauthorized access to the Vehicle Showroom Management System\u0026rsquo;s database. This could result in the disclosure of sensitive customer information (names, addresses, financial details), modification of vehicle inventory data, or even complete compromise of the application\u0026rsquo;s data integrity. The impact would depend on the level of privileges the application\u0026rsquo;s database user has and the attacker\u0026rsquo;s objectives, but it is a high-severity vulnerability due to the ease of exploitation and potential for significant data breach or manipulation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to \u003ccode\u003e/util/RegisterCustomerFunction.php\u003c/code\u003e containing unusual characters or SQL keywords in the \u003ccode\u003eBRANCH_ID\u003c/code\u003e parameter using the Sigma rule \u0026ldquo;Detect SQL Injection Attempt via BRANCH_ID Parameter\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eBRANCH_ID\u003c/code\u003e parameter within the \u003ccode\u003e/util/RegisterCustomerFunction.php\u003c/code\u003e file to prevent SQL injection.\u003c/li\u003e\n\u003cli\u003eMonitor database logs for anomalous queries originating from the Vehicle Showroom Management System\u0026rsquo;s application user.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T09:20:18Z","date_published":"2026-04-10T09:20:18Z","id":"/briefs/2026-04-vehicle-showroom-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-6038) exists in the code-projects Vehicle Showroom Management System 1.0, specifically affecting the /util/RegisterCustomerFunction.php file by manipulating the BRANCH_ID argument.","title":"Vehicle Showroom Management System SQL Injection Vulnerability (CVE-2026-6038)","url":"https://feed.craftedsignal.io/briefs/2026-04-vehicle-showroom-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6036"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","cve-2026-6036","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6036 is a SQL injection vulnerability affecting Vehicle Showroom Management System version 1.0. The vulnerability resides within the \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e file, specifically involving the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter. An unauthenticated attacker can remotely exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e argument. This allows for the potential execution of arbitrary SQL commands on the underlying database, potentially leading to data breaches, modification, or complete system compromise. A public exploit exists, increasing the likelihood of exploitation. The vulnerable software is commonly used for managing vehicle inventory and showroom operations, making organizations that rely on this software potential targets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Vehicle Showroom Management System 1.0 instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is directly incorporated into an SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information from the database, such as user credentials, vehicle details, or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to gain unauthorized access to the system or exfiltrates the data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6036 allows an attacker to execute arbitrary SQL queries against the Vehicle Showroom Management System\u0026rsquo;s database. This could lead to the disclosure of sensitive customer information, modification of vehicle inventory data, or even complete compromise of the system. The vulnerability could result in significant financial losses, reputational damage, and legal liabilities for affected organizations. While the number of affected installations is unknown, Vehicle Showroom Management Systems are commonly used by dealerships and automotive businesses, making them attractive targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization techniques to the \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameter in \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SQL Injection Attempts in Vehicle Showroom Management System\u003c/code\u003e to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting \u003ccode\u003e/util/VehicleDetailsFunction.php\u003c/code\u003e with potentially malicious \u003ccode\u003eVEHICLE_ID\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T09:16:51Z","date_published":"2026-04-10T09:16:51Z","id":"/briefs/2026-04-vehicleshowroom-sqli/","summary":"A remote SQL injection vulnerability (CVE-2026-6036) exists in the Vehicle Showroom Management System 1.0 due to improper sanitization of the VEHICLE_ID parameter in /util/VehicleDetailsFunction.php, potentially allowing attackers to execute arbitrary SQL commands.","title":"SQL Injection Vulnerability in Vehicle Showroom Management System 1.0 (CVE-2026-6036)","url":"https://feed.craftedsignal.io/briefs/2026-04-vehicleshowroom-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-40114"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","praisonai","cve-2026-40114","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability affecting versions prior to 4.5.128. The vulnerability resides in the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint, which accepts a \u003ccode\u003ewebhook_url\u003c/code\u003e parameter in the request body without proper validation. This allows an unauthenticated attacker to specify an arbitrary URL, causing the PraisonAI server to send an HTTP POST request to that URL upon job completion. This flaw enables attackers to target internal services, cloud metadata endpoints, and other network-adjacent resources, potentially leading to information disclosure, privilege escalation, or denial-of-service. Organizations using affected versions of PraisonAI should upgrade to version 4.5.128 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a PraisonAI instance running a version prior to 4.5.128.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ewebhook_url\u003c/code\u003e parameter containing a URL pointing to an internal service, cloud metadata endpoint, or external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server receives the request and queues a job.\u003c/li\u003e\n\u003cli\u003eThe job completes (either successfully or with an error).\u003c/li\u003e\n\u003cli\u003eUpon completion, the server, using \u003ccode\u003ehttpx.AsyncClient\u003c/code\u003e, initiates an HTTP POST request to the URL specified in the \u003ccode\u003ewebhook_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ewebhook_url\u003c/code\u003e points to an internal service, the attacker can potentially access sensitive information or trigger actions within that service.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ewebhook_url\u003c/code\u003e points to a cloud metadata endpoint, the attacker can retrieve cloud credentials or configuration details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an unauthenticated attacker to force the PraisonAI server to make arbitrary HTTP POST requests. This can lead to the exposure of sensitive information from internal services or cloud metadata, potentially granting the attacker unauthorized access to systems and data. The vulnerability could also be leveraged to perform denial-of-service attacks against internal resources. While the exact number of affected organizations is unknown, any organization running a vulnerable version of PraisonAI is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI instances to version 4.5.128 or later to remediate CVE-2026-40114.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint containing suspicious \u003ccode\u003ewebhook_url\u003c/code\u003e parameters to detect potential exploitation attempts. Deploy the Sigma rule to detect suspicious webhook URLs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected outbound connections originating from the PraisonAI server to internal or external destinations, as this could indicate SSRF exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:35Z","date_published":"2026-04-09T22:16:35Z","id":"/briefs/2024-01-praisonai-ssrf/","summary":"PraisonAI versions prior to 4.5.128 are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of URL validation on the webhook_url parameter in the /api/v1/runs endpoint, allowing unauthenticated attackers to send arbitrary POST requests from the server.","title":"PraisonAI SSRF Vulnerability via Unvalidated Webhook URL","url":"https://feed.craftedsignal.io/briefs/2024-01-praisonai-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-39981"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","cve","agixt","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAGiXT, a dynamic AI Agent Automation Platform, contains a critical vulnerability (CVE-2026-39981) affecting versions prior to 1.9.2. The vulnerability lies in the \u003ccode\u003esafe_join()\u003c/code\u003e function within the \u003ccode\u003eessential_abilities\u003c/code\u003e extension. This function fails to adequately validate file paths, creating an opportunity for authenticated attackers to perform directory traversal attacks. By exploiting this flaw, an attacker can manipulate file paths to access files outside the designated agent workspace, resulting in arbitrary file read, write, or deletion capabilities on the server hosting the AGiXT instance. This issue was addressed and resolved in AGiXT version 1.9.2. This vulnerability could allow an attacker to gain complete control over the AGiXT server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AGiXT application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003esafe_join()\u003c/code\u003e function within the \u003ccode\u003eessential_abilities\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate outside the intended agent workspace.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esafe_join()\u003c/code\u003e function fails to properly sanitize the input, allowing the traversal sequences to take effect.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read arbitrary files on the server using the path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the ability to write to arbitrary files to inject malicious code or overwrite existing system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the write access to establish persistence, potentially by modifying system startup scripts or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server hosting the AGiXT instance, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39981 can lead to complete compromise of the AGiXT server. An attacker could gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt services. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. The impact could be significant for organizations relying on AGiXT for critical operations, potentially leading to data breaches, financial losses, and reputational damage. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AGiXT to version 1.9.2 or later to remediate CVE-2026-39981 (references: \u003ca href=\"https://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2)\"\u003ehttps://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent directory traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor AGiXT application logs for suspicious file access attempts and path manipulation sequences.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting CVE-2026-39981.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:17:02Z","date_published":"2026-04-09T18:17:02Z","id":"/briefs/2026-04-agixt-path-traversal/","summary":"AGiXT versions prior to 1.9.2 are vulnerable to path traversal (CVE-2026-39981) due to insufficient validation in the safe_join() function, allowing authenticated attackers to read, write, or delete arbitrary files.","title":"AGiXT Path Traversal Vulnerability (CVE-2026-39981)","url":"https://feed.craftedsignal.io/briefs/2026-04-agixt-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5837"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","php","CVE-2026-5837"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5837 describes a SQL injection vulnerability affecting PHPGurukul News Portal Project version 4.1. The vulnerability resides in the \u003ccode\u003e/news-details.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eComment\u003c/code\u003e argument.  Successful exploitation allows remote attackers to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of active exploitation. Organizations using PHPGurukul News Portal Project 4.1 are urged to investigate and mitigate this vulnerability immediately. The lack of specific patching information emphasizes the importance of proactive detection and prevention measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable PHPGurukul News Portal Project 4.1 instance accessible over the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/news-details.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u003ccode\u003eComment\u003c/code\u003e parameter is manipulated to inject SQL code. For example, the attacker might inject a payload such as \u003ccode\u003e' OR '1'='1\u003c/code\u003e to bypass authentication or extract data.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the crafted request without proper sanitization of the \u003ccode\u003eComment\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is embedded within a database query executed by the application.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-controlled SQL query, potentially allowing the attacker to read, modify, or delete data.\u003c/li\u003e\n\u003cli\u003eThe application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information or confirming successful code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection vulnerability to potentially gain unauthorized access to sensitive data, modify website content, or even gain control of the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5837 can lead to unauthorized access to sensitive information stored in the PHPGurukul News Portal Project\u0026rsquo;s database. An attacker could potentially steal user credentials, financial data, or other confidential information. The attacker could also modify website content, inject malicious code, or even gain control of the underlying server. Given the public availability of exploits, vulnerable instances are at immediate risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting SQL Injection in PHPGurukul News Portal\u003c/code\u003e to identify attempts to exploit CVE-2026-5837 by monitoring for suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field of web server logs.\u003c/li\u003e\n\u003cli\u003eApply web application firewall (WAF) rules to block requests containing common SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eReview and harden the \u003ccode\u003e/news-details.php\u003c/code\u003e page to properly sanitize the Comment input field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity, especially related to the \u003ccode\u003e/news-details.php\u003c/code\u003e endpoint, and correlate with other security events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T04:17:23Z","date_published":"2026-04-09T04:17:23Z","id":"/briefs/2026-04-phpgurukul-sql-injection/","summary":"PHPGurukul News Portal Project version 4.1 is vulnerable to SQL injection via the Comment parameter in /news-details.php, potentially allowing remote attackers to execute arbitrary SQL queries.","title":"PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)","url":"https://feed.craftedsignal.io/briefs/2026-04-phpgurukul-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5829"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2026-5829"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5829 is a SQL injection vulnerability affecting version 1.0 of the code-projects Simple IT Discussion Forum. The vulnerability resides in the \u003ccode\u003e/pages/content.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003epost_id\u003c/code\u003e argument. Successful exploitation allows a remote attacker to execute arbitrary SQL queries on the underlying database. Given the public disclosure of the exploit, instances of Simple IT Discussion Forum 1.0 are at immediate risk. This is a critical vulnerability as it potentially allows an attacker to read sensitive data, modify existing data, or even gain complete control of the application and its underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting \u003ccode\u003e/pages/content.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epost_id\u003c/code\u003e parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003epost_id\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003epost_id\u003c/code\u003e parameter is used in a SQL query executed against the database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection payload allows the attacker to bypass intended query logic.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to extract sensitive information from the database or modify data.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially leverage the SQL injection to execute operating system commands via SQL Server\u0026rsquo;s \u003ccode\u003exp_cmdshell\u003c/code\u003e or similar functionality if available.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5829 can lead to significant data breaches, data manipulation, and potential system compromise.  Attackers could gain unauthorized access to sensitive user data, including credentials and personal information. The impact ranges from defacement of the forum to complete control of the web server hosting the application. The vulnerability allows attackers to read, modify, or delete data stored in the forum\u0026rsquo;s database.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003epost_id\u003c/code\u003e parameter in \u003ccode\u003e/pages/content.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Attempts via POST ID\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003epost_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u003ccode\u003epost_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and harden database server configurations to limit the privileges of the database user account used by the Simple IT Discussion Forum application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T02:16:17Z","date_published":"2026-04-09T02:16:17Z","id":"/briefs/2026-04-simple-it-forum-sql-injection/","summary":"A remote SQL injection vulnerability (CVE-2026-5829) exists in code-projects Simple IT Discussion Forum 1.0 due to improper handling of the 'post_id' argument in the '/pages/content.php' file, allowing attackers to execute arbitrary SQL queries.","title":"code-projects Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5829)","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-it-forum-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5827"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","web-application","injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-5827, affects code-projects Simple IT Discussion Forum version 1.0. The vulnerability resides in the \u003ccode\u003e/question-function.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003econtent\u003c/code\u003e argument. Successful exploitation allows a remote attacker to inject arbitrary SQL commands, potentially leading to data exfiltration, modification, or complete system compromise. This vulnerability is considered high risk due to its ease of exploitation and the sensitive nature of data often stored in forum databases. The exploit is publicly available, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing mitigations to prevent potential attacks against vulnerable Simple IT Discussion Forum instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/question-function.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003econtent\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL query to the database.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe attacker can extract sensitive data, such as user credentials or forum content.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify data within the database, altering forum posts or user profiles.\u003c/li\u003e\n\u003cli\u003eIn a worst-case scenario, the attacker gains complete control of the database server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive data, including user credentials, private messages, and other confidential information stored within the Simple IT Discussion Forum database. This can lead to identity theft, financial fraud, and reputational damage. Furthermore, attackers can modify or delete data, disrupt forum operations, or even gain complete control of the underlying server. Given the public availability of the exploit, unpatched instances are at significant risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for code-projects Simple IT Discussion Forum 1.0 to address CVE-2026-5827.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003e/question-function.php\u003c/code\u003e file to prevent SQL injection attacks, specifically targeting the \u003ccode\u003econtent\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block SQL injection attempts against \u003ccode\u003e/question-function.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the \u003ccode\u003econtent\u003c/code\u003e parameter of requests to \u003ccode\u003e/question-function.php\u003c/code\u003e. Enable webserver logging to activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect SQL injection attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T01:16:50Z","date_published":"2026-04-09T01:16:50Z","id":"/briefs/2026-04-simple-it-forum-sqli/","summary":"CVE-2026-5827 is a SQL injection vulnerability in code-projects Simple IT Discussion Forum 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'content' argument in /question-function.php.","title":"Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5827)","url":"https://feed.craftedsignal.io/briefs/2026-04-simple-it-forum-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-39889"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39889","information-disclosure","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is vulnerable to unauthenticated information disclosure in versions prior to 4.5.115. The vulnerability, identified as CVE-2026-39889, stems from the A2U (Agent-to-User) event stream server exposing sensitive agent activity without proper authentication. The \u003ccode\u003ecreate_a2u_routes()\u003c/code\u003e function registers several endpoints, including \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e, \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e, and \u003ccode\u003e/a2u/health\u003c/code\u003e, without implementing authentication checks. An attacker can exploit this flaw to gain unauthorized insight into agent operations within the PraisonAI system. This vulnerability was reported on April 8, 2026, and patched in version 4.5.115.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a PraisonAI instance running a version prior to 4.5.115.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the \u003ccode\u003e/a2u/info\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server responds with information about the available agent activity streams without requiring any authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker subscribes to a specific agent activity stream by sending an HTTP GET request to \u003ccode\u003e/a2u/subscribe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server provides the attacker with a stream ID, again without authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker then requests event data from the \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e endpoint, substituting \u003ccode\u003e{stream_name}\u003c/code\u003e with a valid stream name obtained from \u003ccode\u003e/a2u/info\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker requests event data from the \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e endpoint, where \u0026lsquo;{id}\u0026rsquo; is a stream ID obtained from \u003ccode\u003e/a2u/subscribe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server streams agent activity data to the attacker, enabling them to monitor agent actions and potentially extract sensitive information. The final objective is to gain unauthorized access to agent activity data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39889 can lead to the unauthorized disclosure of sensitive information related to agent activity within the PraisonAI system. This could include confidential data processed by the agents, internal operational details, and potentially credentials or API keys used by the agents. While the exact number of affected installations is unknown, any organization using PraisonAI versions prior to 4.5.115 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI installations to version 4.5.115 or later to remediate CVE-2026-39889.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e, \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e, and \u003ccode\u003e/a2u/health\u003c/code\u003e endpoints without prior authentication. Consider deploying the Sigma rule provided below to detect such activity.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the PraisonAI server to only authorized users and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T21:17:01Z","date_published":"2026-04-08T21:17:01Z","id":"/briefs/2026-04-praisonai-unauth-access/","summary":"PraisonAI versions prior to 4.5.115 expose agent activity without authentication due to improperly secured A2U event stream endpoints, potentially allowing unauthorized access to sensitive agent information.","title":"PraisonAI Unauthenticated Agent Activity Exposure (CVE-2026-39889)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-unauth-access/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-35446"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["directory-traversal","web-application","neuroimaging"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application designed for data and project management in neuroimaging research. Versions 24.0.0 up to, but not including, 27.0.3 and 28.0.1 contain a directory traversal vulnerability (CVE-2026-35446) in the FilesDownloadHandler. This flaw stems from an incorrect order of operations, potentially enabling an attacker to escape the intended download directories and access sensitive files. Successful exploitation requires authentication and could lead to unauthorized access to sensitive research data. Users are advised to upgrade to versions 27.0.3 or 28.0.1 to mitigate this vulnerability. This vulnerability impacts organizations utilizing LORIS for managing sensitive neuroimaging data, potentially exposing research data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LORIS web application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eFilesDownloadHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path designed to traverse directories outside the intended download directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFilesDownloadHandler\u003c/code\u003e processes the request with an incorrect order of operations when validating the file path.\u003c/li\u003e\n\u003cli\u003eThe application bypasses the intended directory restrictions due to the flawed validation process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to files and directories outside of the designated download directory.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data, including neuroimaging data, project files, or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data for malicious purposes, such as espionage or sale on the dark web.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this directory traversal vulnerability (CVE-2026-35446) in LORIS could lead to unauthorized access to sensitive neuroimaging research data. The number of affected organizations is unknown, but any organization using LORIS versions 24.0.0 to before 27.0.3 and 28.0.1 is potentially vulnerable. The impact includes data breaches, intellectual property theft, and potential compromise of patient privacy if patient data is stored within the LORIS system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LORIS to version 27.0.3 or 28.0.1 to remediate CVE-2026-35446, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect LORIS Directory Traversal Attempt\u0026rdquo; Sigma rule to monitor for suspicious file download requests.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual file download patterns or attempts to access files outside the intended download directories using the file_event log source to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:24Z","date_published":"2026-04-08T19:25:24Z","id":"/briefs/2026-04-loris-traversal/","summary":"LORIS, a neuroimaging research data management web application, is vulnerable to directory traversal (CVE-2026-35446) due to an incorrect order of operations in the FilesDownloadHandler, allowing authenticated attackers to access unauthorized files.","title":"LORIS Directory Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-loris-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34392"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["file-traversal","web-application","cve-2026-34392"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application used for data and project management in neuroimaging research. A critical file traversal vulnerability, identified as CVE-2026-34392, exists within the static file router of LORIS versions 20.0.0 to before 27.0.3 and 28.0.1. This flaw allows an unauthenticated attacker to access and download unintended files by manipulating requests to the \u003ccode\u003e/static\u003c/code\u003e, \u003ccode\u003e/css\u003c/code\u003e, and \u003ccode\u003e/js\u003c/code\u003e endpoints. Successful exploitation of this vulnerability can lead to the exposure of sensitive data, including configuration files, source code, and potentially patient information. The vulnerability is patched in versions 27.0.3 and 28.0.1. Organizations using vulnerable versions of LORIS should upgrade immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a LORIS instance running a vulnerable version (20.0.0 to before 27.0.3 or 28.0.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/static\u003c/code\u003e, \u003ccode\u003e/css\u003c/code\u003e, or \u003ccode\u003e/js\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a file traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) in the URL to navigate outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe LORIS static file router improperly handles the traversal sequence, failing to sanitize the requested path.\u003c/li\u003e\n\u003cli\u003eThe webserver retrieves the file specified by the attacker, potentially including sensitive configuration files or source code.\u003c/li\u003e\n\u003cli\u003eThe webserver responds with the contents of the requested file, which may contain sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the file and analyzes its contents for valuable information, such as database credentials or API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34392 can have severe consequences. An attacker can gain unauthorized access to sensitive files within the LORIS application. This can lead to the exposure of configuration files containing database credentials, API keys, or other sensitive data. The exposure of source code could also facilitate the discovery of other vulnerabilities. Depending on the files exposed, this could lead to further compromise of the LORIS system and potentially the underlying infrastructure, impacting the confidentiality and integrity of the research data managed by the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LORIS to version 27.0.3 or 28.0.1 or later to patch CVE-2026-34392.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block requests containing directory traversal sequences targeting the \u003ccode\u003e/static\u003c/code\u003e, \u003ccode\u003e/css\u003c/code\u003e, and \u003ccode\u003e/js\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:21Z","date_published":"2026-04-08T19:25:21Z","id":"/briefs/2026-04-loris-file-traversal/","summary":"A file traversal vulnerability (CVE-2026-34392) in LORIS versions 20.0.0 to before 27.0.3 and 28.0.1 allows an unauthenticated attacker to download arbitrary files via the static file router.","title":"LORIS File Traversal Vulnerability (CVE-2026-34392)","url":"https://feed.craftedsignal.io/briefs/2026-04-loris-file-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-5301"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","cve-2026-5301","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCoolerControl/coolercontrol-ui versions prior to 4.0.0 are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-5301. This flaw resides in the log viewer component of the application. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code into log entries. When a user views the log entries containing the malicious script, the script executes within their browser, potentially allowing the attacker to take over the CoolerControl service. The vulnerability was reported by GitLab Inc. and affects versions prior to the release of version 4.0.0. This is a high severity vulnerability because it allows unauthenticated attackers to perform actions as other users in the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CoolerControl/coolercontrol-ui instance running a version prior to 4.0.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious log entry containing JavaScript code designed to execute arbitrary actions within a user\u0026rsquo;s session, such as stealing cookies or redirecting to a phishing site.\u003c/li\u003e\n\u003cli\u003eThe attacker injects this malicious log entry into the CoolerControl/coolercontrol-ui system. The method of injection is not specified in the source but could involve exploiting other vulnerabilities or misconfigurations in the system.\u003c/li\u003e\n\u003cli\u003eA user, such as an administrator, accesses the log viewer within the CoolerControl/coolercontrol-ui interface.\u003c/li\u003e\n\u003cli\u003eThe log viewer renders the malicious log entry, causing the injected JavaScript code to execute in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s session or performs other malicious actions, such as stealing credentials or injecting further malicious content into the application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised session to potentially escalate privileges and gain complete control over the CoolerControl service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5301 can lead to a complete compromise of the CoolerControl service. An attacker could gain unauthorized access to sensitive data, modify system configurations, or use the compromised system as a launchpad for further attacks. Given the nature of XSS vulnerabilities, impact is highly dependent on the privileges of the user whose session is compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoolerControl/coolercontrol-ui to version 4.0.0 or later to remediate CVE-2026-5301.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on all log entries to prevent the injection of malicious scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for script execution in the context of the CoolerControl/coolercontrol-ui web application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T13:16:43Z","date_published":"2026-04-08T13:16:43Z","id":"/briefs/2026-04-coolercontrol-xss/","summary":"Unauthenticated attackers can perform a stored XSS attack against CoolerControl/coolercontrol-ui versions less than 4.0.0 by injecting malicious JavaScript into log entries, leading to potential service takeover.","title":"CoolerControl-UI Stored XSS Vulnerability (CVE-2026-5301)","url":"https://feed.craftedsignal.io/briefs/2026-04-coolercontrol-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2023-38766"},{"cvss":8.7,"id":"CVE-2026-35576"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","web-application","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a stored cross-site scripting (XSS) attack affecting versions prior to 7.0.0. This vulnerability resides within the Person Property Management subsystem and stems from insufficient input sanitization when handling dynamically assigned person properties. An authenticated attacker can inject malicious JavaScript code, which is then persistently stored in the database. When other users view the compromised person\u0026rsquo;s profile or access the printable view of that profile, the injected script executes, potentially leading to session hijacking or complete account takeover. This issue impacts versions patched for CVE-2023-38766, highlighting a persistent weakness. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and data breaches. Users are advised to update to version 7.0.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to ChurchCRM with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Person Property Management section.\u003c/li\u003e\n\u003cli\u003eAttacker creates or modifies a dynamically assigned person property, injecting malicious JavaScript code into a property field. Example payload: \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the malicious payload in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA different user views the profile of the person with the compromised property.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload is rendered within the user\u0026rsquo;s browser, executing the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code steals the user\u0026rsquo;s session cookie or redirects the user to a phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to hijack the user\u0026rsquo;s session and gain unauthorized access to the application, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can lead to session hijacking and full account compromise. Attackers could gain unauthorized access to sensitive church member data, modify records, or perform administrative functions within the ChurchCRM system. The impact ranges from data theft and privacy breaches to complete disruption of church management operations. Given the potential for widespread access to sensitive personal information, organizations are strongly advised to apply the necessary updates to mitigate this risk. The CVSS v3.1 base score for this vulnerability is 8.7, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.0.0 or later to patch the vulnerability (CVE-2026-35576).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential XSS attempts via crafted property values.\u003c/li\u003e\n\u003cli\u003eReview and audit existing dynamically assigned person properties for suspicious script tags to identify potentially compromised records.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent future XSS vulnerabilities in ChurchCRM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:00:00Z","date_published":"2026-04-08T12:00:00Z","id":"/briefs/2026-04-churchcrm-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject arbitrary JavaScript code via dynamically assigned person properties, leading to potential session hijacking or account compromise when other users view the affected profile.","title":"ChurchCRM Stored XSS Vulnerability in Person Property Management","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-39847"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","web-application","emmett","cve-2026-39847"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Emmett web framework, a full-stack Python framework, is susceptible to a path traversal vulnerability affecting versions 2.5.0 to prior to 2.8.1. Specifically, the RSGI static handler for Emmett\u0026rsquo;s internal assets (/\u003cstrong\u003eemmett\u003c/strong\u003e paths) does not properly sanitize user-supplied input, leading to CVE-2026-39847. By crafting malicious URLs containing \u0026ldquo;../\u0026rdquo; sequences, an unauthenticated attacker can bypass directory restrictions and access sensitive files residing outside the designated assets directory. Successful exploitation allows attackers to potentially read application source code, configuration files, or other sensitive data. Emmett users are urged to upgrade to version 2.8.1 or later to remediate this vulnerability. The vulnerability was reported on April 7th, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Emmett web application running a version between 2.5.0 and 2.8.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting a static asset under the \u003ccode\u003e/__emmett__\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes \u0026ldquo;../\u0026rdquo; sequences to traverse up the directory structure from the intended assets directory. For example: \u003ccode\u003e/__emmett__/../../../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server receives the request and passes it to the vulnerable RSGI static handler.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input sanitization, the handler processes the \u0026ldquo;../\u0026rdquo; sequences, allowing the attacker to navigate outside the assets directory.\u003c/li\u003e\n\u003cli\u003eThe handler attempts to read the file specified in the manipulated path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the contents of the requested file in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information from the server, potentially including configuration files, source code, or credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-39847) allows an attacker to read arbitrary files on the server hosting the Emmett web application. This can lead to the exposure of sensitive information such as application source code, configuration files containing database credentials, or even system files. The impact can range from information disclosure to complete compromise of the web application and potentially the underlying server. The severity is rated as critical with a CVSS v3.1 score of 9.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Emmett to version 2.8.1 or later to patch CVE-2026-39847.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Emmett Path Traversal Attempts\u0026rdquo; to your SIEM to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URLs containing \u0026ldquo;../\u0026rdquo; sequences targeting the \u003ccode\u003e/__emmett__\u003c/code\u003e path to identify potential exploit attempts.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T22:16:23Z","date_published":"2026-04-07T22:16:23Z","id":"/briefs/2026-04-emmett-path-traversal/","summary":"Emmett web framework versions 2.5.0 to before 2.8.1 are vulnerable to path traversal attacks (CVE-2026-39847), allowing attackers to read arbitrary files outside the intended assets directory using manipulated URLs.","title":"Emmett Web Framework Path Traversal Vulnerability (CVE-2026-39847)","url":"https://feed.craftedsignal.io/briefs/2026-04-emmett-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39331"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39331","churchcrm","authorization-bypass","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, and \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ChurchCRM API with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u003ccode\u003efamilyId\u003c/code\u003e that they do not have explicit modification rights for.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to one of the vulnerable endpoints: \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, or \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in the request URL with the target \u003ccode\u003efamilyId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor example, the attacker sends a POST request to \u003ccode\u003e/family/123/activate/false\u003c/code\u003e to deactivate family with ID 123.\u003c/li\u003e\n\u003cli\u003eDue to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary \u003ccode\u003eEditRecords\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe target family\u0026rsquo;s state is modified (e.g., deactivated, marked as verified).\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the vulnerable API endpoints (\u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e) as detected by the Sigma rule \u0026ldquo;ChurchCRM Family ID Manipulation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.\u003c/li\u003e\n\u003cli\u003eReview and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:44Z","date_published":"2026-04-07T18:16:44Z","id":"/briefs/2026-04-churchcrm-auth-bypass/","summary":"An authenticated API user of ChurchCRM prior to v7.1.0 can bypass authorization checks and modify arbitrary family records by manipulating the familyId parameter in API requests, leading to privilege escalation and potential data manipulation.","title":"ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35395"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35395","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeGIA (Web gerenciador para instituições assistenciais) is a web manager for charitable institutions. Versions prior to 3.6.9 are susceptible to a critical SQL injection vulnerability (CVE-2026-35395) found in the \u003ccode\u003edao/memorando/DespachoDAO.php\u003c/code\u003e file. The \u003ccode\u003eid_memorando\u003c/code\u003e parameter, extracted from the \u003ccode\u003e$_REQUEST\u003c/code\u003e array, is directly incorporated into SQL queries without any validation or sanitization. This flaw enables authenticated users with low privileges to inject arbitrary SQL commands, potentially leading to complete database compromise. Successful exploitation could result in data breaches, modification of sensitive information, and denial-of-service conditions. Defenders should prioritize upgrading to version 3.6.9 or applying provided patches immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the WeGIA web application.\u003c/li\u003e\n\u003cli\u003eThe user navigates to a page that triggers the execution of \u003ccode\u003edao/memorando/DespachoDAO.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application extracts the \u003ccode\u003eid_memorando\u003c/code\u003e parameter from the \u003ccode\u003e$_REQUEST\u003c/code\u003e array using the HTTP GET or POST method.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eid_memorando\u003c/code\u003e parameter containing SQL injection payloads (e.g., \u003ccode\u003e1; DROP TABLE users; --\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application directly interpolates the attacker-controlled \u003ccode\u003eid_memorando\u003c/code\u003e parameter into an SQL query without proper sanitization within the \u003ccode\u003eDespachoDAO.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe database server executes the injected SQL command, allowing the attacker to manipulate database records, read sensitive data, or execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data from the database, such as user credentials, financial information, or confidential memorandums.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete database compromise, potentially leading to a full system takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe SQL injection vulnerability in WeGIA versions prior to 3.6.9 poses a significant risk to charitable institutions using the software. Successful exploitation can lead to unauthorized access to sensitive donor information, financial records, and confidential communications. The potential impact includes data breaches, financial losses, reputational damage, and legal liabilities. Given the nature of the targeted institutions, this vulnerability could severely disrupt their operations and erode public trust, potentially affecting thousands of individuals. Organizations that do not apply the patch are vulnerable to data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade WeGIA to version 3.6.9 to remediate the SQL injection vulnerability described in CVE-2026-35395.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially the \u003ccode\u003eid_memorando\u003c/code\u003e parameter in \u003ccode\u003eDespachoDAO.php\u003c/code\u003e, to prevent future SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WeGIA SQL Injection Attempts\u0026rdquo; to your SIEM and tune it for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads targeting the \u003ccode\u003edao/memorando/DespachoDAO.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eRestrict database access privileges to the minimum required for WeGIA to function correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T21:16:21Z","date_published":"2026-04-06T21:16:21Z","id":"/briefs/2026-04-wegia-sql-injection/","summary":"WeGIA web manager versions prior to 3.6.9 are vulnerable to SQL injection, allowing authenticated users to execute arbitrary SQL commands by directly interpolating the id_memorando parameter from $_REQUEST into SQL queries without validation, as identified by CVE-2026-35395.","title":"WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-35395)","url":"https://feed.craftedsignal.io/briefs/2026-04-wegia-sql-injection/"}],"language":"en","next_url":"/tags/web-application/page/2/feed.json","title":"CraftedSignal Threat Feed — Web-Application","version":"https://jsonfeed.org/version/1.1"}