Web-Application — CraftedSignal Threat Feed

OpenMRS Module Upload Path Traversal Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 17:39:31 +0000

OpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the POST /openmrs/ws/rest/v1/module endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted .omod archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the WebModuleUtil.startModule() function, an oversight compared to other extraction methods within the same codebase that are properly protected.

Attack Chain

The attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.
The attacker crafts a malicious .omod file containing a ZIP entry with a path traversal payload, such as web/module/../../../../.jsp.
The attacker sends a POST request to the /openmrs/ws/rest/v1/module endpoint, uploading the malicious .omod file.
The server receives the request and parses the uploaded .omod file, treating it as a ZIP archive.
During module loading via WebModuleUtil.startModule(), the server extracts entries under the web/module/ directory.
Due to an incomplete check, the entry web/module/../../../../.jsp passes the initial validation.
The server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended WEB-INF/view/module/ directory.
If the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS’s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.

Recommendation

Apply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.
Deploy the Sigma rule Detect OpenMRS Malicious Module Upload to identify exploitation attempts based on HTTP requests to the /openmrs/ws/rest/v1/module endpoint with suspicious file extensions in the query parameters.
Enable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.
Monitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule Detect JSP File Creation in Web Application Root as a starting point.
Enforce the module.allow_web_admin restriction consistently across all module upload entry points, including the REST API to prevent bypass.

Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters

hello@craftedsignal.io — Mon, 04 May 2026 17:20:20 +0000

A vulnerability exists in Quarkus Vertx HTTP versions < 3.20.6.1, >= 3.21.0 and < 3.27.3.1, >= 3.30.0 and < 3.33.1.1, and >= 3.34.0 and < 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (;) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus’s security layer checks the raw URL path, while RESTEasy Reactive’s routing layer strips matrix parameters before matching endpoints. This means a request like /api/admin;anything can bypass authorization for /api/admin while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.

Attack Chain

An attacker identifies a protected endpoint, such as /api/admin, that requires authentication or specific privileges.
The attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as /api/admin;anything.
The request is sent to the Quarkus Vertx HTTP server.
Quarkus’s security layer performs an authorization check on the raw URL path /api/admin;anything, which may not match the intended authorization rules for /api/admin.
RESTEasy Reactive’s routing layer strips the matrix parameters (;anything) from the URL, resulting in the endpoint /api/admin being matched.
The request is routed to the protected endpoint /api/admin, bypassing the intended authorization checks.
The attacker gains unauthorized access to the protected resource or functionality.
The attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.

Impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.

Recommendation

Upgrade Quarkus Vertx HTTP to a patched version (>= 3.20.6.1, >= 3.27.3.1, >= 3.33.1.1, >= 3.35.1.1) to remediate CVE-2026-39852.
Deploy the Sigma rule Detect Quarkus Authorization Bypass Attempt to identify potential exploitation attempts in web server logs.
Monitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the Monitor Semicolons in URL Path Sigma rule.

Langflow Multiple Vulnerabilities Allow Code Execution

hello@craftedsignal.io — Mon, 04 May 2026 10:39:06 +0000

Langflow is vulnerable to multiple security flaws that could allow a remote attacker to execute arbitrary code on the affected system. Successful exploitation of these vulnerabilities requires the attacker to be authenticated. The specific nature of these vulnerabilities is not detailed in the advisory, however the potential impact is severe, allowing for complete system compromise if successfully exploited. Defenders should prioritize identifying and mitigating installations of Langflow that are exposed to untrusted networks or users.

Attack Chain

An authenticated attacker gains initial access to the Langflow application.
The attacker crafts a malicious request targeting one of the unspecified vulnerabilities.
The malicious request is sent to the Langflow server.
The Langflow server processes the request, triggering the vulnerability.
The vulnerability allows the attacker to inject arbitrary code into the Langflow process.
The injected code executes within the context of the Langflow application.
The attacker leverages the initial code execution to escalate privileges.
The attacker achieves arbitrary code execution on the underlying system.

Impact

Successful exploitation of these vulnerabilities allows a remote, authenticated attacker to execute arbitrary code on the Langflow server. This could lead to a complete compromise of the affected system, including the theft of sensitive data, the installation of malware, and the disruption of services. Given the lack of specific vulnerability details, it is difficult to estimate the precise number of potentially affected installations.

Recommendation

Monitor Langflow application logs for suspicious activity indicative of unauthorized access or code execution.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
Implement strict access controls for the Langflow application to minimize the attack surface.

YunaiV yudao-cloud Authentication Bypass Vulnerability (CVE-2026-7710)

hello@craftedsignal.io — Mon, 04 May 2026 00:16:39 +0000

CVE-2026-7710 is an authentication bypass vulnerability affecting YunaiV’s yudao-cloud, specifically versions up to 3.8.0. The vulnerability resides in the doFilterInternal function within the JwtAuthenticationTokenFilter.java file of the Ruoyi-Vue-Pro component. An attacker can exploit this vulnerability by manipulating the mock-token argument, leading to improper authentication. This allows a remote attacker to potentially gain unauthorized access to the application. Public exploits are available, increasing the risk of exploitation. The vendor was notified but has not responded.

Attack Chain

Attacker identifies a YunaiV yudao-cloud instance running a vulnerable version (<= 3.8.0).
Attacker crafts a malicious HTTP request targeting an endpoint protected by authentication.
The crafted request includes a manipulated mock-token argument designed to bypass the JWT authentication filter.
The JwtAuthenticationTokenFilter.java component processes the request and improperly validates the manipulated mock-token.
Due to the flawed authentication logic, the attacker is granted unauthorized access as an authenticated user.
Attacker gains access to protected resources and functionalities within the application.
Attacker performs privileged actions such as data modification, account takeover, or further exploitation of the system.

Impact

Successful exploitation of CVE-2026-7710 allows attackers to bypass authentication and gain unauthorized access to YunaiV yudao-cloud applications. This can lead to the compromise of sensitive data, modification of application settings, and potentially full system takeover. Given the availability of public exploits, organizations using affected versions of yudao-cloud are at high risk. The CVSS v3.1 base score for this vulnerability is 7.3, indicating a high severity level.

Recommendation

Upgrade YunaiV yudao-cloud to a patched version that addresses CVE-2026-7710.
Deploy the Sigma rule Detect Malicious Mock Token Argument to identify exploitation attempts by monitoring web server logs for the presence of a mock-token argument.
Implement input validation on the server side to ensure that mock-token values conform to expected patterns.

Tiandy Easy7 Integrated Management Platform OS Command Injection Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 14:16:27 +0000

A critical vulnerability, CVE-2026-7698, has been identified in Tiandy Easy7 Integrated Management Platform version 7.17.0. This vulnerability resides within the /Easy7/rest/systemInfo/updateDbBackupInfo file, specifically related to the week argument. Successful exploitation allows for arbitrary OS command injection. This vulnerability is remotely exploitable, meaning an attacker can trigger it over the network without needing local access. Publicly available exploit code exists, increasing the likelihood of exploitation. The vendor was notified but has not responded. Defenders should take immediate action to mitigate this risk.

Attack Chain

An attacker identifies a vulnerable Tiandy Easy7 Integrated Management Platform running version 7.17.0.
The attacker crafts a malicious HTTP request targeting the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.
The crafted request includes a payload within the week argument designed to inject OS commands.
The vulnerable application fails to properly sanitize or validate the week argument.
The application executes the injected OS command with the privileges of the web server.
The attacker gains arbitrary code execution on the server.
The attacker can then perform further actions such as installing malware, exfiltrating data, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-7698 allows an attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data breaches, denial of service, or further lateral movement within the network. Given the publicly available exploit, organizations using Tiandy Easy7 Integrated Management Platform 7.17.0 are at immediate risk.

Recommendation

Apply available patches from Tiandy if they become available.
Monitor web server logs for requests to /Easy7/rest/systemInfo/updateDbBackupInfo containing suspicious characters or command injection attempts. Deploy the Sigma rule Detect Suspicious Requests to updateDbBackupInfo to your SIEM.
Implement input validation and sanitization on the week argument within the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.
Monitor process creation events for unusual processes spawned by the web server, using the Sigma rule Detect OS Command Injection via Web Request.
Review and restrict network access to the Tiandy Easy7 Integrated Management Platform to only authorized users and systems.

Jinher OA 1.0 SQL Injection Vulnerability (CVE-2026-7670)

hello@craftedsignal.io — Sat, 02 May 2026 23:16:16 +0000

A SQL injection vulnerability, identified as CVE-2026-7670, affects Jinher OA 1.0, a web-based office automation software. The vulnerability resides within the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, specifically in how the application handles the ‘DeptIDList’ argument. An unauthenticated remote attacker can manipulate this argument to inject malicious SQL code into database queries. The vulnerability was reported to the vendor; however, there has been no response, and an exploit is publicly available. This lack of response and the availability of an exploit increases the risk to organizations using the affected Jinher OA 1.0.

Attack Chain

An attacker identifies a Jinher OA 1.0 instance exposed to the internet.
The attacker crafts a malicious HTTP GET or POST request targeting the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx endpoint.
The request includes a modified DeptIDList parameter containing SQL injection payloads.
The server-side application fails to properly sanitize or validate the DeptIDList input.
The unsanitized input is passed directly into a SQL query executed against the underlying database.
The injected SQL code is executed by the database server, potentially allowing the attacker to bypass authentication, extract sensitive data, or modify data.
The attacker retrieves sensitive information, such as user credentials, internal configurations, or financial data, depending on the database structure and injected SQL commands.
The attacker leverages compromised data to gain further access, escalate privileges, or conduct lateral movement within the organization’s network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7670) can lead to unauthorized access to sensitive data, including user credentials, financial records, and internal communications. An attacker could potentially gain complete control over the affected Jinher OA 1.0 system and the underlying database. This could result in significant data breaches, financial losses, reputational damage, and disruption of business operations. Given the lack of vendor response, organizations using Jinher OA 1.0 are particularly vulnerable and should take immediate action to mitigate this risk.

Recommendation

Inspect web server logs for requests to /C6/JHSoft.Web.PlanSummarize/UserSel.aspx containing suspicious characters or SQL keywords within the DeptIDList parameter, as covered by the Sigma rule “Detect Jinher OA SQL Injection Attempt via DeptIDList”.
Apply input validation and sanitization to all user-supplied data, especially the DeptIDList parameter in /C6/JHSoft.Web.PlanSummarize/UserSel.aspx, to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Generic SQL Injection Attempt” to identify broader SQL injection attempts across your web applications.
Given the vendor’s lack of response, consider isolating the affected Jinher OA 1.0 instance from the network or replacing it with a more secure alternative.

InnoShop Improper Authentication Vulnerability (CVE-2026-7630)

hello@craftedsignal.io — Sat, 02 May 2026 14:16:18 +0000

A critical vulnerability, CVE-2026-7630, affects innocommerce InnoShop versions up to 0.7.8. The vulnerability resides in the InstallServiceProvider::boot function within the innopacks/install/src/InstallServiceProvider.php file, which governs the installation endpoint. Successful exploitation allows remote attackers to bypass authentication mechanisms, potentially leading to complete system compromise. Publicly available exploits exist, increasing the risk of active exploitation. It is crucial for administrators to apply the provided patch (identifier: 45758e4ec22451ab944ae2ae826b1e70f6450dc9) immediately.

Attack Chain

An attacker identifies an InnoShop instance running a vulnerable version (<= 0.7.8).
The attacker crafts a malicious HTTP request targeting the installation endpoint (innopacks/install/src/InstallServiceProvider.php).
The request exploits the improper authentication in the InstallServiceProvider::boot function.
Authentication checks are bypassed due to the vulnerability.
The attacker gains unauthorized access to the installation process.
The attacker injects malicious code or configurations during the installation phase.
The injected code executes with elevated privileges, granting the attacker control over the InnoShop instance.
The attacker establishes a persistent backdoor for future access and potential data exfiltration or further malicious activities.

Impact

Successful exploitation of CVE-2026-7630 allows unauthenticated remote attackers to compromise InnoShop installations. This can lead to complete control of the web server, potentially affecting sensitive customer data, financial information, and intellectual property. Given the ease of exploitation and publicly available exploits, unpatched InnoShop instances are at high risk of compromise. The number of affected installations is currently unknown, but the widespread use of InnoShop in e-commerce makes this a significant threat.

Recommendation

Immediately apply the patch identified by 45758e4ec22451ab944ae2ae826b1e70f6450dc9 to remediate the improper authentication vulnerability.
Deploy the Sigma rule “Detect InnoShop Installation Endpoint Access” to identify unauthorized access attempts to the installation endpoint.
Monitor web server logs for suspicious activity targeting the innopacks/install/src/InstallServiceProvider.php path, based on “Detect InnoShop Installation Endpoint Access” to identify post-exploitation attempts.

code-projects Online Hospital Management System SQL Injection Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 14:16:18 +0000

CVE-2026-7632 is a critical security flaw affecting code-projects Online Hospital Management System version 1.0. The vulnerability lies within the /viewappointment.php file, where insufficient input validation allows for SQL injection via the delid argument. A remote attacker can exploit this vulnerability to inject arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly disclosed, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected system, as it could compromise sensitive patient data and disrupt hospital operations.

Attack Chain

The attacker identifies an instance of code-projects Online Hospital Management System 1.0 running the vulnerable /viewappointment.php script.
The attacker crafts a malicious HTTP request targeting /viewappointment.php with a specially crafted delid parameter containing SQL injection payloads.
The application fails to properly sanitize the delid input, allowing the injected SQL code to be passed to the database.
The injected SQL code is executed against the database server.
The attacker retrieves sensitive data such as patient records, usernames, and passwords from the database using SQL queries like UNION SELECT.
The attacker may modify or delete data within the database.
The attacker could potentially escalate privileges within the application by manipulating user roles or injecting administrative accounts.

Impact

Successful exploitation of CVE-2026-7632 can lead to severe consequences, including unauthorized access to sensitive patient data, such as medical history, personal information, and financial records. Attackers could modify or delete critical data, disrupting hospital operations and potentially impacting patient care. The vulnerability could also allow attackers to gain control of the system, leading to further malicious activities like data exfiltration or ransomware deployment. This poses a significant risk to the privacy and security of patient information.

Recommendation

Deploy the Sigma rule Detect SQL Injection in Online Hospital Management System to your SIEM to identify exploitation attempts targeting the /viewappointment.php endpoint.
Implement input validation and sanitization measures in the /viewappointment.php script to prevent SQL injection attacks.
Upgrade to a patched version of code-projects Online Hospital Management System that addresses CVE-2026-7632 (if available).

OS Command Injection Vulnerability in p_69_branch_monkey_mcp Preview Endpoint (CVE-2026-7590)

hello@craftedsignal.io — Sat, 02 May 2026 12:00:00 +0000

A critical OS command injection vulnerability, CVE-2026-7590, has been identified in the Preview Endpoint of eyal-gor’s p_69_branch_monkey_mcp. This vulnerability affects versions up to commit 69bc71874ce40050ef45fde5a435855f18af3373. A remote attacker can exploit this flaw by manipulating the dev_script argument within the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file. Successful exploitation allows for arbitrary command execution on the host operating system. The exploit is publicly available, increasing the risk of widespread exploitation. The vendor has been notified but has not yet responded. The lack of versioning makes it difficult to determine the exact scope of affected installations.

Attack Chain

The attacker identifies a vulnerable instance of p_69_branch_monkey_mcp running a web server.
The attacker crafts a malicious HTTP request targeting the Preview Endpoint.
The request includes a payload in the dev_script argument designed to inject OS commands via the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file.
The web server processes the request, passing the attacker-controlled dev_script argument to a function that executes system commands without proper sanitization.
The injected OS command is executed by the server, potentially with the privileges of the web server user. For example, an attacker could inject ls -la to list directory contents.
The output of the injected command is returned to the attacker via the web server’s response, confirming successful command execution.
The attacker leverages the initial command execution to escalate privileges, install persistent backdoors, or move laterally within the network, depending on the server’s configuration and accessible resources.
The attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.

Impact

Successful exploitation of CVE-2026-7590 allows a remote attacker to execute arbitrary OS commands on the affected server. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The lack of version information makes it difficult to ascertain the number of vulnerable installations, but given the publicly available exploit, widespread exploitation is possible. Organizations using p_69_branch_monkey_mcp are at high risk.

Recommendation

Monitor web server logs for suspicious requests targeting the Preview Endpoint and containing potentially malicious payloads in the dev_script parameter as described in the attack chain. Use the “p_69_branch_monkey_mcp_command_injection” Sigma rule.
Inspect process creation events for unexpected processes spawned by the web server, indicating potential command injection. Use the “p_69_branch_monkey_mcp_unexpected_process” Sigma rule.
Implement input validation and sanitization on the dev_script parameter in the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file to prevent command injection.
Although specific vulnerable versions are unavailable, immediately investigate and patch any instances of p_69_branch_monkey_mcp due to the public exploit availability.

Zyosoft School App Insecure Direct Object Reference Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 10:16:19 +0000

The Zyosoft School App is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2026-7491. This flaw allows authenticated remote attackers to bypass authorization controls by modifying specific parameters within the application’s requests. By manipulating these parameters, attackers can gain unauthorized access to sensitive data belonging to other users, as well as modify that data. Successful exploitation allows unauthorized data access and modification, potentially leading to data breaches, privacy violations, and manipulation of user accounts. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential abuse.

Attack Chain

An attacker authenticates to the Zyosoft School App using valid credentials.
The attacker identifies a request that includes a user-controlled parameter referencing a specific object (e.g., user ID, record number).
The attacker modifies the value of this parameter to reference a different object belonging to another user.
The attacker sends the modified request to the server.
The server, lacking proper authorization checks, processes the request using the attacker-supplied object reference.
The server returns the data associated with the targeted user’s object to the attacker.
The attacker can further modify parameters to alter the data of the targeted user.
The attacker successfully reads or modifies the targeted user’s data without proper authorization.

Impact

Successful exploitation of CVE-2026-7491 allows authenticated attackers to read and modify other users’ data within the Zyosoft School App. This can lead to severe consequences, including unauthorized access to sensitive student or staff information, modification of grades or attendance records, and potential data breaches. The number of affected users depends on the app’s deployment size, but any instance is vulnerable. This issue could affect any educational institution using the Zyosoft School App.

Recommendation

Inspect web server logs for requests containing unusual parameter modifications, specifically those referencing user IDs or other sensitive data fields (webserver logs).
Deploy the Sigma rule provided below to detect attempts to access or modify resources using potentially manipulated object references (Sigma rule).
Implement robust authorization checks in the Zyosoft School App to verify that users only have access to resources they are explicitly authorized to access.
Contact Zyosoft for a patch addressing CVE-2026-7491.

Sunnet CTMS SQL Injection Vulnerability (CVE-2026-7489)

hello@craftedsignal.io — Sat, 02 May 2026 10:16:18 +0000

A SQL Injection vulnerability, identified as CVE-2026-7489, exists in CTMS developed by Sunnet. This flaw allows authenticated remote attackers to inject arbitrary SQL commands. Successful exploitation could allow the attackers to read, modify, and delete database contents. The vulnerability was published on May 2, 2026. The scope of this vulnerability affects systems running the vulnerable CTMS software, potentially leading to data breaches and system compromise.

Attack Chain

The attacker authenticates to the CTMS application.
The attacker identifies an endpoint vulnerable to SQL injection.
The attacker crafts a malicious SQL query designed to exploit the injection point, likely using tools like Burp Suite or SQLMap.
The attacker injects the SQL payload via a crafted HTTP request, targeting vulnerable parameters within the request.
The CTMS application executes the injected SQL query against the database.
The attacker bypasses authentication or authorization controls to gain elevated privileges within the application or database.
The attacker reads sensitive data from the database, such as user credentials or confidential business information.
The attacker modifies or deletes database entries, leading to data corruption or denial of service.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to read sensitive information, modify data, or delete critical database contents. This could lead to a complete compromise of the CTMS application and its underlying database, impacting all users and data managed by the system. The severity is heightened by the potential for attackers to gain complete control over the database, leading to significant data breaches and operational disruption.

Recommendation

Apply the patch or upgrade CTMS to a version that addresses CVE-2026-7489 as soon as it becomes available from Sunnet.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts” to identify potential exploitation attempts against CTMS (see below).
Review web server logs for suspicious activity indicative of SQL injection attempts, specifically looking for unusual characters or SQL syntax in HTTP request parameters.
Implement proper input validation and sanitization techniques to prevent SQL injection vulnerabilities in CTMS and other web applications.

Flux159 mcp-game-asset-gen Path Traversal Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 21:16:17 +0000

A path traversal vulnerability, identified as CVE-2026-7594, has been discovered in Flux159 mcp-game-asset-gen version 0.1.0. The vulnerability resides within the image_to_3d_async function located in the src/index.ts file of the MCP Interface component. Successful exploitation allows a remote attacker to manipulate the statusFile argument, potentially leading to unauthorized file access and modification. Public exploits are available, increasing the risk of widespread exploitation. The project maintainers were notified via an issue report, but have not yet addressed the vulnerability. This lack of response, coupled with the existence of public exploits, elevates the urgency for defenders.

Attack Chain

The attacker identifies a vulnerable instance of mcp-game-asset-gen 0.1.0 running on a remote server.
The attacker crafts a malicious HTTP request targeting the image_to_3d_async function.
Within the request, the attacker manipulates the statusFile argument to include path traversal sequences (e.g., “../”).
The server-side application processes the request, using the attacker-controlled statusFile value to construct a file path.
Due to insufficient input validation, the path traversal sequences are not properly sanitized.
The application attempts to read or write to a file outside the intended directory, based on the manipulated path.
If successful, the attacker gains unauthorized access to sensitive files or overwrites critical system files.
The attacker leverages the file access to further compromise the system, potentially leading to code execution or data exfiltration.

Impact

Successful exploitation of this path traversal vulnerability could allow attackers to read sensitive files, overwrite critical system files, or even achieve remote code execution on the affected server. This could lead to data breaches, system instability, or complete server compromise. Given the availability of public exploits, organizations using mcp-game-asset-gen 0.1.0 are at immediate risk.

Recommendation

Apply input validation and sanitization to the statusFile argument within the image_to_3d_async function to prevent path traversal, addressing CVE-2026-7594.
Monitor web server logs for suspicious requests containing path traversal sequences (e.g., “../”) in the statusFile parameter using the provided Sigma rule.
Implement the Sigma rule targeting process creation events related to the exploitation of CVE-2026-7594.

SQL Injection Vulnerability in itsourcecode Courier Management System

hello@craftedsignal.io — Fri, 01 May 2026 20:16:24 +0000

itsourcecode Courier Management System 1.0 is vulnerable to a SQL injection vulnerability. The vulnerability resides in the /edit_staff.php file and can be exploited by manipulating the ID argument. This allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit is publicly available, increasing the risk of exploitation. The vulnerability was reported on May 1, 2026, and affects version 1.0 of the Courier Management System.

Attack Chain

The attacker identifies the /edit_staff.php endpoint in the Courier Management System 1.0.
The attacker crafts a malicious SQL injection payload within the ID parameter of a HTTP GET or POST request.
The attacker sends the crafted request to the /edit_staff.php endpoint.
The application fails to properly sanitize the ID parameter, allowing the SQL injection payload to be processed by the database.
The injected SQL query is executed against the database, potentially allowing the attacker to bypass authentication or authorization controls.
The attacker retrieves sensitive information from the database, such as user credentials, financial records, or other confidential data.
The attacker modifies data in the database, potentially altering application behavior or causing data corruption.
The attacker gains full control of the database server.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to read, modify, or delete sensitive data within the Courier Management System database. This could lead to unauthorized access to customer information, financial data, and other confidential records. Given the public availability of the exploit, organizations using Courier Management System 1.0 are at a high risk of compromise.

Recommendation

Apply input validation and sanitization to the ID parameter in /edit_staff.php to prevent SQL injection (CVE-2026-7592).
Deploy the provided Sigma rule to detect potential SQL injection attempts targeting the /edit_staff.php endpoint.
Implement a web application firewall (WAF) rule to block known SQL injection payloads (CVE-2026-7592).

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 05:16:03 +0000

On May 1, 2026, a SQL injection vulnerability, CVE-2026-7549, was disclosed in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides in the /ajax.php?action=delete_customer endpoint, where the ID parameter is susceptible to manipulation, enabling remote attackers to inject arbitrary SQL commands. Publicly available exploit code exists, increasing the risk of exploitation. Successful exploitation can lead to unauthorized data access, modification, or deletion within the application’s database. This vulnerability is particularly concerning due to the sensitive nature of pharmacy data, potentially impacting confidentiality, integrity, and availability.

Attack Chain

Attacker identifies the vulnerable /ajax.php?action=delete_customer endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0.
Attacker crafts a malicious HTTP request targeting the vulnerable endpoint.
The malicious request includes a manipulated ID parameter containing a SQL injection payload.
The application fails to properly sanitize the ID parameter before incorporating it into a SQL query.
The injected SQL code is executed against the application’s database.
The attacker gains unauthorized access to sensitive data, such as customer information, prescription details, or inventory levels.
The attacker may modify or delete data within the database, potentially disrupting pharmacy operations or causing data integrity issues.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7549) can lead to the complete compromise of the SourceCodester Pharmacy Sales and Inventory System database. Attackers could potentially exfiltrate sensitive patient data, modify prescription information, or disrupt pharmacy operations by deleting critical data. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of victims and specific sectors targeted remain unknown, but any pharmacy using the affected version is potentially at risk.

Recommendation

Apply input validation and sanitization to all user-supplied input, especially the ID parameter in /ajax.php?action=delete_customer, to prevent SQL injection (CWE-89).
Deploy the Sigma rule “Detect SQL Injection Attempts in Pharmacy Sales System” to identify and block malicious requests targeting the vulnerable endpoint.
Upgrade to a patched version of SourceCodester Pharmacy Sales and Inventory System that addresses CVE-2026-7549 once available.
Monitor web server logs for suspicious activity, such as unusual requests to /ajax.php?action=delete_customer, to detect potential exploitation attempts.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 05:16:03 +0000

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection via the /ajax.php?action=save_customer endpoint. Disclosed on May 1, 2026, the vulnerability, identified as CVE-2026-7550, allows unauthenticated remote attackers to inject arbitrary SQL commands by manipulating the ID argument. The vulnerability exists due to insufficient input validation. Public exploit code is available, increasing the risk of exploitation. This vulnerability allows attackers to potentially read, modify, or delete sensitive data within the application’s database.

Attack Chain

The attacker identifies the vulnerable endpoint /ajax.php?action=save_customer within the Pharmacy Sales and Inventory System 1.0 application.
The attacker crafts a malicious HTTP GET or POST request targeting the /ajax.php?action=save_customer endpoint.
The crafted request includes a manipulated ID parameter designed to inject SQL commands.
The application fails to properly sanitize the input provided in the ID parameter.
The application executes the attacker-supplied SQL code against the database.
The attacker can retrieve sensitive information, such as customer details, product information, or administrative credentials.
The attacker may modify existing data, such as prices or inventory levels.
The attacker may gain complete control of the database, potentially leading to full system compromise.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7550) can lead to unauthorized access to sensitive data, data modification, or complete database compromise. This could result in financial losses, reputational damage, and legal repercussions for affected organizations. Given the nature of the application, attackers could potentially access patient data or prescription information, leading to severe privacy breaches.

Recommendation

Apply input validation and sanitization to the ID parameter in the /ajax.php?action=save_customer endpoint to prevent SQL injection attacks.
Monitor web server logs for suspicious requests targeting the /ajax.php?action=save_customer endpoint with unusual ID parameter values. Deploy the provided Sigma rule to detect potential exploitation attempts.
Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting this vulnerability.
Upgrade to a patched version of the SourceCodester Pharmacy Sales and Inventory System once available.
Implement regular database backups to mitigate potential data loss due to successful exploitation.

SourceCodester Advanced School Management System SQL Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 02:16:49 +0000

SourceCodester Advanced School Management System version 1.0 is vulnerable to SQL injection in the checkEmail endpoint within the commonController.php file. This vulnerability, identified as CVE-2026-7545, allows a remote attacker to inject arbitrary SQL commands. Publicly available exploits targeting this vulnerability increase the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion within the application’s database. Given the availability of public exploits, organizations using this software are at an elevated risk.

Attack Chain

The attacker identifies the checkEmail endpoint in commonController.php.
The attacker crafts a malicious HTTP request to the checkEmail endpoint, injecting SQL code into the email parameter.
The vulnerable application fails to properly sanitize the email input.
The injected SQL code is passed directly to the database query.
The database executes the malicious SQL code.
The attacker gains unauthorized access to the database.
The attacker may then read sensitive data, modify existing data, or insert new malicious data.
The attacker might also use this to escalate privileges within the application.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7545) could allow an attacker to read, modify, or delete sensitive data stored in the Advanced School Management System database. This could include student records, financial information, or administrative credentials. The availability of public exploits increases the likelihood of attacks targeting this vulnerability, potentially impacting any organization using the affected software.

Recommendation

Apply input validation and sanitization to the checkEmail endpoint in commonController.php to prevent SQL injection attacks.
Deploy the Sigma rule Detect ASMS CheckEmail SQL Injection Attempt to identify exploitation attempts in web server logs.
Monitor web server logs for suspicious activity related to the checkEmail endpoint.

Fujian Apex LiveBOS Path Traversal Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 01:16:38 +0000

Fujian Apex LiveBOS, a live broadcasting system, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7519, exists due to insufficient input validation on the filename parameter within the /feed/UploadImage.do endpoint. Versions up to and including 2.0 are affected. Publicly available exploits exist, increasing the risk of exploitation. An attacker can leverage this flaw to access sensitive files on the server, potentially leading to information disclosure or further system compromise. Upgrading to version 2.1 or applying available patches is strongly recommended.

Attack Chain

An attacker identifies a Fujian Apex LiveBOS instance running version 2.0 or earlier.
The attacker crafts a malicious HTTP request targeting the /feed/UploadImage.do endpoint.
The attacker manipulates the filename parameter within the request, injecting path traversal sequences (e.g., ../../).
The server-side application fails to properly sanitize the filename, allowing the path traversal sequence to be processed.
The application attempts to read a file based on the attacker-controlled path.
If successful, the contents of the targeted file are returned to the attacker in the HTTP response.
The attacker analyzes the leaked file content for sensitive information (e.g., credentials, configuration files).

Impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files on the LiveBOS server. This could include configuration files containing database credentials, private keys, or other confidential information. The impact ranges from information disclosure to potential full system compromise, depending on the accessed data. There are no reported victims or sectors targeted as of yet, but the public availability of the exploit increases the likelihood of exploitation.

Recommendation

Upgrade Fujian Apex LiveBOS to version 2.1 to remediate CVE-2026-7519.
Deploy the Sigma rule Detect LiveBOS Path Traversal Attempt to identify malicious requests exploiting the vulnerability.
Monitor web server logs for requests containing path traversal sequences targeting the /feed/UploadImage.do endpoint.

SSCMS v7.4.0 SQL Injection Vulnerability in stl:sqlContent Tag

hello@craftedsignal.io — Thu, 30 Apr 2026 21:16:34 +0000

SSCMS v7.4.0 is susceptible to a SQL injection vulnerability (CVE-2026-7435) within the stl:sqlContent tag. The vulnerability arises because the queryString attribute is passed directly to database execution without adequate sanitization or parameterization. This flaw enables attackers to inject malicious SQL code by crafting encrypted payloads and submitting them to the /api/stl/actions/dynamic endpoint. Successful exploitation can lead to unauthorized access to the database, disclosure of sensitive information, authentication bypass, modification of data, or even complete compromise of the database. This vulnerability poses a significant risk to organizations using the affected SSCMS version, potentially leading to severe data breaches and system disruption.

Attack Chain

The attacker identifies an SSCMS v7.4.0 instance.
The attacker crafts a malicious SQL injection payload, specifically targeting the queryString attribute within the stl:sqlContent tag.
The attacker encrypts the crafted SQL injection payload.
The attacker sends the encrypted payload to the /api/stl/actions/dynamic endpoint using an HTTP POST request.
The SSCMS application receives the request and processes the stl:sqlContent tag without proper sanitization.
The application executes the attacker-controlled SQL query against the database.
The attacker gains unauthorized access to the database, potentially extracting sensitive data or modifying existing records.
The attacker may escalate privileges or move laterally within the compromised system, depending on the level of access gained.

Impact

Successful exploitation of this SQL injection vulnerability could lead to severe consequences. An attacker could gain complete control over the SSCMS database, potentially exposing sensitive user data, confidential business information, or proprietary intellectual property. Data breaches resulting from this vulnerability could lead to significant financial losses, reputational damage, and legal liabilities. The lack of specifics about victim count or sectors targeted makes quantification difficult, but the potential impact is high for any organization using the affected software.

Recommendation

Apply any available patches or updates for SSCMS v7.4.0 to address the SQL injection vulnerability described in CVE-2026-7435.
Implement input validation and sanitization measures to prevent SQL injection attacks, specifically focusing on the queryString attribute of the stl:sqlContent tag.
Deploy the Sigma rule Detect Suspicious SSCMS stl:sqlContent Requests to identify potential exploitation attempts targeting the /api/stl/actions/dynamic endpoint.

Kirby CMS Missing Authorization Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 21:03:20 +0000

Kirby CMS versions prior to 4.9.0 and between 5.0.0 and 5.3.3 are vulnerable to a missing authorization flaw. This vulnerability impacts Kirby sites where user roles are intentionally configured with restricted access to pages or files through disabled pages.access, pages.list, files.access, or files.list permissions. The issue stems from inconsistent permission checks within the Kirby Panel and REST API, allowing authenticated users to access resources they should not be able to. Updating to versions 4.9.0, 5.4.0, or later resolves this vulnerability by implementing consistent permission checks. The vulnerability is identified as CVE-2026-42137.

Attack Chain

An authenticated user logs into the Kirby CMS Panel or REST API.
The user attempts to access a page or file for which their role lacks the necessary pages.access/files.access or pages.list/files.list permissions.
Due to inconsistent permission checks, the user can view the page or file details via the “changes” dialog in the Panel, even if listing is disabled.
The user accesses the REST API, which, despite direct access checks, fails to properly filter collections or related models (children, drafts, files, etc.).
The attacker views images associated with restricted site, pages, or user resources in lists within the Panel.
The user exploits the incorrect permission check (using pages.access instead of pages.list or files.access instead of files.list in specific API routes).
The user traverses to previous or next files using direct links in the files view, even if those files should not be listable.
The attacker gains unauthorized access to sensitive information or modifies content due to the bypassed permission checks.

Impact

This vulnerability allows authenticated users to bypass intended access restrictions within Kirby CMS, leading to potential unauthorized access to sensitive information and/or unauthorized content modification. The inconsistent permission checks in the Panel and REST API could result in unintended disclosure of data restricted by role-based access controls. Successful exploitation could compromise the confidentiality and integrity of the affected Kirby CMS instance. While the advisory does not list the number of victims, this flaw impacts any Kirby site with restricted roles.

Recommendation

Upgrade to Kirby CMS version 4.9.0 or 5.4.0 (or later) to patch the vulnerability as recommended in the advisory.
Review user role permissions and blueprint configurations to ensure appropriate access controls are in place after patching, as described in the overview.
Monitor web server logs for unusual API requests to resources that should be restricted, using the rules below, to identify potential exploitation attempts.
Implement rate limiting on API endpoints to mitigate potential brute-force attacks attempting to exploit this or other vulnerabilities.

1024-lab smart-admin Improper Access Control Vulnerability (CVE-2026-7468)

hello@craftedsignal.io — Thu, 30 Apr 2026 01:16:03 +0000

A security vulnerability, CVE-2026-7468, has been identified in 1024-lab smart-admin, specifically in versions up to 3.30.0. This flaw resides within an unspecified function of the /smart-admin-api/druid/index.html file, a component of the Demo Site. The vulnerability stems from improper access controls, which could allow unauthorized remote access. The public disclosure of an exploit increases the risk of exploitation. While the 1024-lab project was notified through an issue report, a response or patch has not yet been released, making systems running vulnerable versions susceptible to attack. This vulnerability allows for potential compromise of the application and sensitive data.

Attack Chain

The attacker identifies a vulnerable instance of 1024-lab smart-admin running a version up to 3.30.0.
The attacker crafts a malicious request targeting the /smart-admin-api/druid/index.html endpoint.
The request exploits the improper access control vulnerability to bypass authentication or authorization checks.
The system incorrectly processes the request, granting the attacker unintended access to restricted resources or functionality.
The attacker leverages this unauthorized access to read sensitive data.
The attacker further exploits the vulnerability to modify data or application configurations.
The attacker uses the compromised application to pivot to other systems or data within the network.

Impact

Successful exploitation of CVE-2026-7468 allows attackers to gain unauthorized access to sensitive data and functionality within the 1024-lab smart-admin application. The impact could range from information disclosure to complete system compromise, depending on the specific function affected and the attacker’s objectives. As the vulnerability resides in a ‘Demo Site’ component, the impact is likely to be proof-of-concept or low, but could be more significant if the application is in production.

Recommendation

Monitor web server logs for suspicious requests targeting the /smart-admin-api/druid/index.html endpoint to detect potential exploitation attempts.
Deploy the provided Sigma rule to detect unauthorized access attempts.
Apply any available patches or updates released by 1024-lab to address CVE-2026-7468.

Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests

hello@craftedsignal.io — Wed, 29 Apr 2026 21:56:13 +0000

Admidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The validateSignature() method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, handleSSORequest() and handleSLORequest(), incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the smc_require_auth_signed configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.

Attack Chain

An attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).
The attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to modules/sso/index.php.
The receiveMessage() function parses the SAML binding directly from the HTTP request, requiring no prior authentication.
The Entity ID is extracted from the forged request’s Issuer element, and the corresponding client configuration is loaded.
The validateSignature() function is called, but its return value (indicating signature validity) is discarded.
For AuthnRequests, if the targeted user has an active session ($gValidLogin is true), the login form is skipped.
Admidio builds a SAML Response containing the user’s attributes (login, name, email, roles) and sends it to the attacker-controlled AssertionConsumerServiceURL.
For LogoutRequests, the user’s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.

Impact

Successful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the smc_require_auth_signed setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user’s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.

Recommendation

Apply the recommended fix in the Admidio codebase to check the return value of validateSignature() and throw an exception on failure, as outlined in the advisory (https://github.com/advisories/GHSA-25cw-98hg-g3cg).
Deploy the Sigma rule “Admidio Forged SAML AuthnRequest Detection” to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.
Deploy the Sigma rule “Admidio Forged SAML LogoutRequest Detection” to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.
Monitor webserver logs for requests to /adm_program/modules/sso/index.php/saml/sso and /adm_program/modules/sso/index.php/saml/slo without proper signature validation to detect potential exploitation attempts.
Upgrade to a patched version of Admidio to address CVE-2026-41669.

Relative Path Traversal Vulnerability in mcpo-simple-server

hello@craftedsignal.io — Wed, 29 Apr 2026 21:16:22 +0000

A relative path traversal vulnerability, identified as CVE-2026-7404, has been discovered in getsimpletool mcpo-simple-server up to version 0.2.0. The vulnerability resides within the delete_shared_prompt function of the src/mcpo_simple_server/services/prompt_manager/base_manager.py file. By manipulating the detail argument, a remote attacker can traverse the file system and delete arbitrary files. The vulnerability is remotely exploitable, and proof-of-concept exploit code is publicly available. The maintainers of the getsimpletool project have been notified of this vulnerability but have not yet responded. This poses a significant risk to systems running mcpo-simple-server, as it could lead to unauthorized file deletion and potential system compromise.

Attack Chain

The attacker identifies a vulnerable mcpo-simple-server instance running version 0.2.0 or earlier.
The attacker crafts a malicious HTTP request targeting the delete_shared_prompt function.
The malicious request includes a manipulated detail argument containing relative path traversal sequences (e.g., ../).
The server-side application processes the request and passes the manipulated detail argument to the delete_shared_prompt function.
The delete_shared_prompt function uses the attacker-controlled detail argument to construct a file path.
Due to the path traversal sequences, the resulting file path points to a location outside the intended directory.
The application attempts to delete the file at the attacker-specified location.
If permissions allow, the file is successfully deleted, leading to potential data loss or system instability.

Impact

Successful exploitation of this vulnerability allows an attacker to delete arbitrary files on the affected system. This can lead to data loss, application malfunction, or even complete system compromise, depending on the files targeted for deletion. Given the public availability of exploit code, systems running vulnerable versions of mcpo-simple-server are at immediate risk. The impact is especially severe if the targeted files are critical system files or application data.

Recommendation

Upgrade mcpo-simple-server to a patched version that addresses CVE-2026-7404, if available from the vendor.
Deploy the Sigma rule Detect Mcpo-Simple-Server Path Traversal Attempt to identify exploitation attempts in web server logs.
Implement strict input validation and sanitization on the detail argument of the delete_shared_prompt function, if patching is not immediately feasible.
Monitor web server logs for suspicious activity, such as requests containing path traversal sequences.
Restrict file system permissions to limit the impact of successful path traversal attacks.

XATABoost CMS 1.0.0 SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

XATABoost CMS 1.0.0 is susceptible to a union-based SQL injection vulnerability (CVE-2018-25300). This flaw enables unauthenticated attackers to inject malicious SQL code through the id parameter in news.php via GET requests. By crafting specific payloads, attackers can manipulate database queries to extract sensitive information. This vulnerability poses a significant risk, as it could lead to data breaches, account compromise, and further exploitation of the affected system. The targeted exploitation vector is the news.php file, making it a critical area for monitoring and mitigation.

Attack Chain

An unauthenticated attacker identifies the news.php endpoint.
The attacker crafts a malicious GET request targeting the id parameter within news.php. This payload contains SQL injection code.
The server-side application fails to properly sanitize the id parameter before constructing the SQL query.
The injected SQL code is executed against the database.
The attacker uses UNION clauses to extract sensitive information from other database tables.
The extracted data is returned as part of the HTTP response.
The attacker parses the HTTP response to retrieve the exfiltrated data.
The attacker uses the exfiltrated data for further malicious activities (e.g., privilege escalation, lateral movement).

Impact

Successful exploitation of this SQL injection vulnerability can result in the unauthorized disclosure of sensitive information stored in the XATABoost CMS database. This includes user credentials, financial data, or other confidential information. The impact could range from a single compromised system to a full-scale data breach, depending on the scope and sensitivity of the data stored within the database. Without further context on affected deployments, the number of potential victims is hard to quantify, but any public-facing XATABoost CMS 1.0.0 instance is vulnerable.

Recommendation

Deploy the Sigma rule Detect XATABoost CMS SQL Injection Attempt to identify malicious GET requests targeting the news.php endpoint and tune for your environment.
Implement input validation and sanitization on the id parameter in the news.php file to prevent SQL injection attacks.
Upgrade to a patched version of XATABoost CMS or implement a web application firewall (WAF) rule to mitigate the vulnerability.
Monitor web server logs for suspicious activity related to news.php and unusual SQL queries.
Review and restrict database user permissions to minimize the impact of successful SQL injection attacks.

Path Traversal Vulnerability in mail-mcp-bridge

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:29 +0000

A path traversal vulnerability, identified as CVE-2026-7386, has been discovered in fatbobman mail-mcp-bridge version 1.3.3 and prior. The vulnerability resides within the src/mail_mcp_server.py file, specifically affecting an unspecified function that handles the message_ids argument. A remote attacker can exploit this flaw by crafting malicious requests containing manipulated message_ids values. Successful exploitation allows the attacker to traverse the file system and potentially read sensitive files. An exploit is publicly available. The vulnerability is addressed in version 1.3.4, with patch 638b162b26532e32fa8d8047f638537dbdfe197a.

Attack Chain

The attacker identifies a vulnerable instance of mail-mcp-bridge running version 1.3.3 or earlier.
The attacker crafts a malicious HTTP request targeting the endpoint that processes message_ids.
Within the request, the attacker includes a message_ids parameter containing path traversal sequences (e.g., ../).
The server-side application, without proper validation, processes the manipulated message_ids value.
The application attempts to access a file path constructed using the attacker-controlled input.
Due to the path traversal sequences, the application accesses a file outside the intended directory.
The application reads the contents of the traversed file.
The attacker retrieves the contents of the file, gaining access to sensitive information.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the exposure of sensitive data such as configuration files, application source code, or user data. With a CVSS v3.1 base score of 7.3, this vulnerability poses a significant risk. The number of affected installations is unknown, but any instance of mail-mcp-bridge running a vulnerable version is susceptible to attack.

Recommendation

Upgrade fatbobman mail-mcp-bridge to version 1.3.4 or later to apply the patch 638b162b26532e32fa8d8047f638537dbdfe197a that resolves CVE-2026-7386.
Deploy the Sigma rule “Detect mail-mcp-bridge Path Traversal Attempt” to identify exploitation attempts in web server logs.
Implement input validation on the message_ids parameter to prevent path traversal attacks in web applications, even after patching.

EyouCMS SQL Injection Vulnerability (CVE-2026-7389)

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:29 +0000

A security vulnerability, CVE-2026-7389, has been identified in EyouCMS, specifically affecting versions up to 1.7.9. This vulnerability stems from insufficient sanitization of user-supplied input passed to the sort_asc argument of the GetSortData function located in the application/common.php file. An unauthenticated, remote attacker can exploit this vulnerability to inject malicious SQL queries into the application. Publicly available exploits increase the risk of widespread exploitation. The project maintainers were notified but have not yet addressed the issue, making timely detection and mitigation critical for defenders.

Attack Chain

The attacker identifies an EyouCMS instance running a vulnerable version (<= 1.7.9).
The attacker crafts a malicious HTTP request targeting the GetSortData function within application/common.php.
The crafted request includes a manipulated sort_asc argument containing a SQL injection payload.
The application processes the request without proper sanitization of the sort_asc parameter.
The unsanitized input is incorporated into a SQL query executed by the application.
The injected SQL code modifies the query logic, allowing the attacker to potentially bypass authentication.
The attacker can read sensitive data from the database, such as user credentials or configuration information.
The attacker may escalate privileges or gain complete control of the database server, leading to data exfiltration or service disruption.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7389) could allow an attacker to read, modify, or delete sensitive data stored in the EyouCMS database. This could include user credentials, financial information, or other confidential data. Since an exploit is publicly available, organizations using vulnerable versions of EyouCMS are at increased risk of compromise, potentially leading to data breaches, financial loss, and reputational damage.

Recommendation

Deploy the Sigma rule Detect EyouCMS SQL Injection via sort_asc Parameter to identify exploitation attempts in web server logs.
Inspect web server logs for suspicious requests targeting application/common.php with unusual parameters in the sort_asc argument based on the Sigma rule.
Apply input validation and sanitization to the sort_asc parameter in the GetSortData function to prevent SQL injection.

Eiceblue Spire-PDF-MCP-Server Path Traversal Vulnerability (CVE-2026-7315)

hello@craftedsignal.io — Wed, 29 Apr 2026 12:00:00 +0000

A path traversal vulnerability, identified as CVE-2026-7315, affects eiceblue spire-pdf-mcp-server version 0.1.1. The vulnerability resides in the get_pdf_path function within the src/spire_pdf_mcp/server.py file. By manipulating the filepath argument, a remote attacker can bypass directory traversal restrictions and potentially access sensitive files on the server. Public exploits are available, increasing the risk of exploitation. The vendor has been notified but has not yet provided a patch or response. This vulnerability poses a significant risk to systems running the affected software.

Attack Chain

The attacker identifies a vulnerable instance of eiceblue spire-pdf-mcp-server 0.1.1 exposed to the network.
The attacker crafts a malicious HTTP request targeting the get_pdf_path function, embedding a path traversal sequence (e.g., ../) within the filepath parameter.
The server receives the request and processes the filepath argument without proper sanitization or validation.
The get_pdf_path function constructs a file path using the attacker-controlled input, allowing the traversal of directories outside the intended PDF file storage location.
The server attempts to access a file outside the intended directory, based on the manipulated path.
If successful, the server reads the contents of the arbitrary file.
The server returns the contents of the file to the attacker.
The attacker gains unauthorized access to sensitive information, potentially including configuration files, credentials, or other confidential data.

Impact

Successful exploitation of CVE-2026-7315 allows a remote attacker to read arbitrary files on the server. This can lead to the disclosure of sensitive information, such as configuration files, credentials, or internal application code. The impact could include complete compromise of the affected system and potential lateral movement within the network. Given the availability of public exploits, the risk of widespread exploitation is elevated.

Recommendation

Deploy the Sigma rule Detect Spire-PDF Path Traversal Attempt to identify malicious requests containing path traversal sequences.
Monitor web server logs for HTTP requests targeting the get_pdf_path function with suspicious filepath parameters (e.g., containing “../”).
Implement strict input validation and sanitization measures for the filepath argument in the get_pdf_path function to prevent path traversal attacks.
Apply any available patches or updates from the vendor as soon as they are released to address CVE-2026-7315.

eiceblue spire-doc-mcp-server Path Traversal Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 12:00:00 +0000

A critical path traversal vulnerability has been identified in eiceblue spire-doc-mcp-server version 1.0.0. The vulnerability resides within the get_doc_path function of the src/spire_doc_mcp/api/base.py file. By manipulating the document_name argument, an attacker can bypass intended directory restrictions and access files outside the designated document path. This attack can be initiated remotely without authentication, posing a significant risk. Public exploits are available, increasing the likelihood of exploitation. The vendor was notified through an issue report, but has not yet responded.

Attack Chain

The attacker sends a crafted HTTP request to the spire-doc-mcp-server.
The request targets an endpoint that utilizes the vulnerable get_doc_path function.
The attacker manipulates the document_name parameter within the request.
The document_name parameter contains a path traversal sequence (e.g., “../”) designed to escape the intended directory.
The get_doc_path function fails to properly sanitize or validate the document_name input.
The application constructs a file path based on the malicious input.
The application attempts to read the file at the attacker-controlled path.
The attacker successfully retrieves the contents of an arbitrary file on the server.

Impact

Successful exploitation of this path traversal vulnerability allows an attacker to read sensitive files on the server. This could include configuration files containing credentials, source code, or other confidential data. The CVSS v3.1 score of 7.3 reflects the high severity of this issue. The lack of vendor response and availability of public exploits significantly increases the risk to organizations using vulnerable versions of spire-doc-mcp-server.

Recommendation

Deploy the Sigma rule Detect Spire-doc-mcp-server Path Traversal Attempt to your SIEM to detect exploitation attempts by monitoring web server logs for path traversal sequences.
Apply input validation and sanitization to the document_name argument in the get_doc_path function within src/spire_doc_mcp/api/base.py to prevent path traversal.
Monitor web server logs for HTTP requests containing path traversal sequences (e.g., “..%2F”, “../”) targeting endpoints related to document retrieval.

Elinsky execution-system-mcp Path Traversal Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 10:00:00 +0000

A path traversal vulnerability, identified as CVE-2026-7319, affects elinsky execution-system-mcp version 0.1.0. The vulnerability resides in the _get_context_file_path function located within the src/execution_system_mcp/server.py file, which is part of the add_action Tool component. By manipulating the context argument, a remote attacker can bypass directory restrictions and access unauthorized files. The existence of a published exploit increases the risk of this vulnerability being actively exploited. Defenders should prioritize patching and implementing mitigations to prevent potential data breaches or system compromise.

Attack Chain

The attacker identifies a vulnerable instance of elinsky execution-system-mcp 0.1.0 running remotely.
The attacker crafts a malicious HTTP request targeting the add_action tool.
Within the HTTP request, the attacker injects a path traversal sequence (e.g., ../) into the context argument of the _get_context_file_path function.
The _get_context_file_path function processes the tainted input without proper sanitization, allowing the path traversal sequence to resolve to a file outside of the intended directory.
The server attempts to read the file specified by the attacker-controlled path.
Sensitive information from the targeted file is read by the server.
The server returns the content of the file, or an error message indicating the file content, to the attacker.
The attacker obtains sensitive information, potentially leading to further exploitation, such as privilege escalation or data exfiltration.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the disclosure of sensitive information, such as configuration files, source code, or user data. The CVSS v3.1 score of 7.3 indicates a high severity, highlighting the potential for significant impact. The lack of specifics regarding victim count and sectors targeted in the source information makes it difficult to quantify the precise scale of potential damage.

Recommendation

Apply any available patches or updates for elinsky execution-system-mcp to address CVE-2026-7319.
Implement input validation and sanitization measures to prevent path traversal attacks within the _get_context_file_path function.
Deploy the Sigma rule provided to detect exploitation attempts by monitoring for suspicious path traversal sequences in HTTP requests to the add_action tool.
Monitor web server logs for requests containing path traversal sequences such as “../” and ensure proper logging of access attempts.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 12:00:00 +0000

A SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides within the /ajax.php?action=delete_category endpoint, where a manipulation of the ID argument can lead to arbitrary SQL command execution. This allows remote attackers to potentially bypass authentication, access sensitive data, modify database contents, or even compromise the entire system. Given the availability of a published exploit, this vulnerability poses a significant risk to organizations utilizing the affected software. Successful exploitation requires no authentication.

Attack Chain

Attacker identifies an instance of SourceCodester Pharmacy Sales and Inventory System 1.0.
Attacker crafts a malicious HTTP request targeting the /ajax.php?action=delete_category endpoint.
The attacker injects SQL code into the ID parameter of the request.
The application fails to properly sanitize the input, passing the malicious SQL code to the database.
The database executes the attacker-controlled SQL query.
Depending on the injected SQL, the attacker can read sensitive data from the database (e.g., user credentials, financial records).
The attacker could also modify data, such as altering inventory levels or creating unauthorized accounts.
Ultimately, the attacker could gain full control of the database and the application.

Impact

Successful exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive patient data, financial records, and other confidential information stored within the Pharmacy Sales and Inventory System database. Attackers could potentially modify data, leading to incorrect inventory levels, fraudulent transactions, or even complete system compromise. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. Given that the exploit is public, organizations using this software are at immediate risk.

Recommendation

Apply input validation and sanitization to the ID parameter within the /ajax.php?action=delete_category endpoint to prevent SQL injection (reference CVE-2026-7130).
Deploy the provided Sigma rule to detect suspicious requests to the /ajax.php?action=delete_category endpoint containing potential SQL injection attempts.
Implement regular security audits and penetration testing to identify and remediate vulnerabilities in web applications.
Restrict database access privileges to the minimum necessary for each user and application to limit the potential impact of a successful SQL injection attack.

ChatGPTNextWeb NextChat Server-Side Request Forgery Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 12:00:00 +0000

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-7177, affects ChatGPTNextWeb NextChat up to version 2.16.1. The vulnerability resides within the proxyHandler function in the app/api/[provider]/[...path]/route.ts file. Publicly available exploits demonstrate that a remote attacker can manipulate this function to make unauthorized requests to internal resources. The project maintainers were notified, but have not yet responded to the issue, increasing the risk of widespread exploitation. This vulnerability allows attackers to potentially access sensitive information or internal services that are not intended to be exposed to the internet.

Attack Chain

An attacker identifies a NextChat instance running a vulnerable version (<= 2.16.1).
The attacker crafts a malicious HTTP request targeting the app/api/[provider]/[...path]/route.ts endpoint.
The crafted request manipulates the proxyHandler function parameters.
The proxyHandler function, without proper validation, forwards the manipulated request to an internal server or resource.
The internal server processes the request as if it originated from the NextChat server itself.
The internal server returns the response to the NextChat server.
The NextChat server forwards the response from the internal server back to the attacker.
The attacker gains access to potentially sensitive information or can interact with internal services due to the SSRF vulnerability.

Impact

Successful exploitation of this SSRF vulnerability allows attackers to potentially access internal resources, including sensitive data or internal services not intended for public access. While the CVSS score is 7.3 (HIGH), the impact is limited to information disclosure and limited modification/availability of resources. The number of affected instances is currently unknown. If successfully exploited, attackers could potentially use the compromised NextChat instance as a proxy to further compromise the internal network.

Recommendation

Apply input validation and sanitization to the proxyHandler function within app/api/[provider]/[...path]/route.ts to prevent malicious manipulation (Reference: CVE-2026-7177).
Monitor web server logs for unusual requests targeting the app/api endpoint with potentially malicious parameters (See example Sigma rule below).
Implement network segmentation to restrict access from the NextChat server to only necessary internal resources (General security best practice related to SSRF).
Deploy the Sigma rules provided to detect exploitation attempts against NextChat instances.

AgiFlow scaffold-mcp Path Traversal Vulnerability (CVE-2026-7237)

hello@craftedsignal.io — Tue, 28 Apr 2026 08:16:02 +0000

AgiFlow scaffold-mcp, a software component with unknown functionality, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7237, affects versions up to 1.0.27. The vulnerability resides in the packages/scaffold-mcp/src/server/index.ts file, specifically within the “write-to-file” tool. An attacker can remotely exploit this flaw by manipulating the file_path argument, enabling them to write to arbitrary locations on the server. A patch has been released in version 1.1.0 with commit hash c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6 to address this vulnerability. The exploit is publicly available.

Attack Chain

The attacker identifies an AgiFlow scaffold-mcp instance running a vulnerable version (<= 1.0.27).
The attacker crafts a malicious request targeting the “write-to-file” tool.
The request includes a manipulated file_path argument containing path traversal sequences (e.g., “../”, “..\”).
The server-side application processes the request without proper sanitization or validation of the file_path argument.
The application attempts to write data to the attacker-controlled file path.
Due to the path traversal sequences, the data is written to an arbitrary location on the server’s file system.
The attacker may overwrite critical system files, inject malicious code, or exfiltrate sensitive data, depending on the write permissions and targeted file location.
Successful exploitation leads to arbitrary code execution, data compromise, or denial of service.

Impact

Successful exploitation of CVE-2026-7237 allows attackers to write arbitrary files to the affected system, potentially leading to code execution, data exfiltration, or denial of service. The number of affected installations is currently unknown. Due to the public availability of the exploit, organizations using AgiFlow scaffold-mcp are at immediate risk.

Recommendation

Upgrade AgiFlow scaffold-mcp to version 1.1.0 or later to remediate CVE-2026-7237, applying the patch identified by commit hash c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6.
Implement input validation and sanitization on the file_path argument within the “write-to-file” tool to prevent path traversal attacks.
Deploy the Sigma rule “Detect AgiFlow Scaffold-mcp Path Traversal Attempt” to identify exploitation attempts in web server logs.
Monitor web server logs for suspicious requests containing path traversal sequences in the URI.

BrowserOperator Core Path Traversal Vulnerability (CVE-2026-7234)

hello@craftedsignal.io — Tue, 28 Apr 2026 07:16:04 +0000

A path traversal vulnerability has been identified in BrowserOperator browser-operator-core versions up to 0.6.0. The vulnerability, designated as CVE-2026-7234, resides in the startsWith function within the scripts/component_server/server.js file. By manipulating the request.url argument, an attacker can bypass path restrictions and potentially access sensitive files on the server. The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available. The BrowserOperator project has been notified, but a patch has not yet been released. Successful exploitation could lead to information disclosure and unauthorized access to system resources.

Attack Chain

The attacker identifies a vulnerable BrowserOperator browser-operator-core instance running a version prior to 0.6.0.
The attacker crafts a malicious HTTP request targeting the component_server/server.js endpoint.
The crafted request includes a manipulated request.url argument designed to bypass the startsWith function’s intended path restrictions.
The startsWith function fails to properly sanitize or validate the request.url input.
The application uses the attacker-controlled request.url to construct a file path.
The application attempts to read a file based on the constructed path, traversing directories outside of the intended scope.
If successful, the contents of the targeted file are returned to the attacker in the HTTP response.

Impact

Successful exploitation of this vulnerability allows a remote attacker to read arbitrary files on the server hosting the BrowserOperator browser-operator-core application. This could lead to the disclosure of sensitive information, including configuration files, credentials, or source code. The lack of response from the project maintainers increases the risk of widespread exploitation, especially given the availability of a public exploit.

Recommendation

Inspect webserver logs for HTTP requests containing path traversal patterns in the URL targeting the component_server/server.js endpoint to detect potential exploitation attempts. Deploy the Sigma rule Detect BrowserOperator Path Traversal Attempt to identify suspicious requests.
Monitor web server logs for unusual file access patterns originating from the BrowserOperator application.
Consider using a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint, mitigating the risk of CVE-2026-7234.

edvardlindelof notes-mcp Path Traversal Vulnerability (CVE-2026-7212)

hello@craftedsignal.io — Tue, 28 Apr 2026 02:16:08 +0000

A path traversal vulnerability, identified as CVE-2026-7212, affects edvardlindelof notes-mcp version 0.1.4 and earlier. This flaw resides within the notes_mcp.py file, where manipulation of the root_dir/path argument allows unauthorized access to files and directories outside the intended scope. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. The vendor was notified through an issue report but has not yet responded, making timely patching unlikely. Successful exploitation could lead to sensitive data exposure, potentially compromising the entire application and server.

Attack Chain

An attacker identifies an instance of notes-mcp running version 0.1.4 or earlier.
The attacker crafts a malicious HTTP request targeting the vulnerable endpoint in notes_mcp.py.
The crafted request includes a manipulated root_dir/path argument containing path traversal sequences (e.g., ../) to navigate outside the intended directory.
The application fails to properly sanitize or validate the root_dir/path argument.
The application uses the attacker-controlled path to access files or directories on the server’s file system.
The attacker retrieves sensitive data, such as configuration files, application source code, or user data, by reading arbitrary files on the server.
If write access is possible, the attacker may overwrite critical system files.
The attacker uses the exposed information to further compromise the system or gain unauthorized access to other resources.

Impact

Successful exploitation of this path traversal vulnerability can lead to unauthorized access to sensitive files and directories on the affected server. This could result in the disclosure of confidential data, such as user credentials, application source code, or internal configuration details. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of potential victims is unknown, but any system running the vulnerable version of notes-mcp is at risk. The project’s lack of response to the vulnerability report suggests that a patch may not be immediately available, increasing the window of opportunity for attackers.

Recommendation

Inspect web server access logs for suspicious requests containing path traversal sequences like ../ in the URI targeting notes_mcp.py to identify potential exploitation attempts (see Sigma rule Detect notes-mcp Path Traversal Attempt).
Deploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting this vulnerability.
Monitor network traffic for unusual file access patterns originating from the affected server after potential exploitation.
Since a public exploit is available, prioritize patching or mitigating this vulnerability if you are using the affected software, paying close attention to changes in request patterns and ensuring awareness of CVE-2026-7212.

Duartium papers-mcp-server Path Traversal Vulnerability (CVE-2026-7205)

hello@craftedsignal.io — Tue, 28 Apr 2026 01:17:16 +0000

A path traversal vulnerability has been identified in duartium papers-mcp-server, specifically version 9ceb3812a6458ba7922ca24a7406f8807bc55598. The vulnerability resides within the search_papers function located in the src/main.py file. By manipulating the topic argument, a remote attacker can exploit this flaw to traverse the file system and potentially read sensitive files. This vulnerability, identified as CVE-2026-7205, is remotely exploitable and has a publicly available exploit, increasing the risk of widespread exploitation. The project maintainers were notified, but there has been no response or patch released, making immediate defensive measures critical for organizations using this software.

Attack Chain

The attacker identifies a vulnerable instance of duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598.
The attacker crafts a malicious HTTP request targeting the search_papers function.
Within the HTTP request, the attacker injects a path traversal payload into the topic argument, such as “../../etc/passwd”.
The server-side application, without proper sanitization, processes the malicious topic argument.
The application attempts to read the file specified by the attacker’s path traversal payload (e.g., /etc/passwd).
The server responds with the contents of the requested file, effectively leaking sensitive information to the attacker.
The attacker analyzes the leaked file for sensitive data, such as usernames, passwords, or configuration details.
The attacker uses the obtained information to further compromise the system or network.

Impact

Successful exploitation of this path traversal vulnerability allows attackers to read arbitrary files on the affected server. This could lead to the disclosure of sensitive configuration files, user credentials, or source code, potentially leading to further compromise, lateral movement within the network, and data breaches. The lack of a patch and the availability of a public exploit increases the likelihood of widespread exploitation and potential damage.

Recommendation

Deploy the Sigma rule provided in this brief to detect exploitation attempts against the search_papers endpoint, focusing on path traversal payloads in the topic parameter.
Implement input validation and sanitization on the topic parameter within the search_papers function to prevent path traversal attacks.
Monitor web server logs for suspicious requests containing path traversal sequences like “../” and “./” in the URI query to detect potential exploitation attempts.
Apply rate limiting to the search_papers endpoint to mitigate potential brute-force path traversal attempts.

dubydu sqlite-mcp SQL Injection Vulnerability (CVE-2026-7206)

hello@craftedsignal.io — Tue, 28 Apr 2026 01:16:02 +0000

A SQL injection vulnerability, identified as CVE-2026-7206, has been discovered in dubydu’s sqlite-mcp software, affecting versions up to 0.1.0. The vulnerability resides within the extract_to_json function located in the src/entry.py file. An attacker can exploit this flaw by manipulating the output_filename argument, leading to the execution of arbitrary SQL commands. This vulnerability is remotely exploitable, meaning an attacker does not need local access to the system. A proof-of-concept exploit is publicly available, increasing the risk of active exploitation. Applying patch a5580cb992f4f6c308c9ffe6442b2e76709db548 is the recommended remediation.

Attack Chain

An attacker identifies a vulnerable instance of dubydu sqlite-mcp running a version prior to the patched version.
The attacker crafts a malicious request targeting the extract_to_json function in src/entry.py.
The attacker injects SQL code into the output_filename argument of the request.
The application processes the attacker-supplied output_filename argument without proper sanitization.
The unsanitized input is passed directly to the underlying SQLite database engine.
The SQLite database executes the injected SQL commands, potentially allowing the attacker to read sensitive data, modify data, or execute system commands, depending on the application’s privileges and database configuration.
The attacker retrieves the results of the injected SQL query, such as extracted data or confirmation of successful command execution.
The attacker leverages the compromised database to achieve further objectives, such as data exfiltration or privilege escalation.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7206) can allow an attacker to execute arbitrary SQL queries against the underlying SQLite database. This could lead to the disclosure of sensitive information, modification of data, or even complete compromise of the application and the system it resides on. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. Given the public availability of an exploit, affected systems are at an elevated risk of attack.

Recommendation

Apply the provided patch a5580cb992f4f6c308c9ffe6442b2e76709db548 to remediate CVE-2026-7206.
Implement input validation and sanitization measures to prevent SQL injection attacks, focusing on the output_filename parameter of the extract_to_json function.
Monitor web server logs for suspicious requests targeting the extract_to_json function using the Sigma rule Detect Suspicious sqlite-mcp Requests.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability (CVE-2026-7199)

hello@craftedsignal.io — Tue, 28 Apr 2026 00:16:26 +0000

A SQL injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. This vulnerability, assigned CVE-2026-7199, affects the /ajax.php?action=delete_product endpoint. Attackers can remotely exploit this vulnerability by manipulating the ID parameter. The vulnerability was published on April 27, 2026, and the exploit is now publicly available. Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Due to the ease of exploitation and the sensitive nature of pharmacy data, this vulnerability poses a significant risk to organizations using the affected system.

Attack Chain

The attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System 1.0.
The attacker crafts a malicious HTTP request targeting the /ajax.php?action=delete_product endpoint.
The attacker injects SQL code into the ID parameter of the request.
The server-side application fails to properly sanitize the input, passing the malicious SQL code to the database.
The database executes the injected SQL code, potentially allowing the attacker to bypass authentication, access sensitive data, modify database records, or execute system commands.
The attacker retrieves sensitive data, such as patient information, prescription details, or financial records.
The attacker may escalate privileges within the application and the underlying system.
The attacker can then exfiltrate the compromised data or maintain persistent access to the system for future attacks.

Impact

Successful exploitation of this SQL injection vulnerability can lead to a complete compromise of the Pharmacy Sales and Inventory System. This can result in the theft of sensitive patient data, financial records, and other confidential information. The vulnerability allows attackers to potentially modify or delete critical data, leading to disruption of pharmacy operations, financial losses, and regulatory penalties. As the exploit is publicly available, the likelihood of widespread exploitation is high, impacting any organization using the vulnerable version of the software.

Recommendation

Apply the Sigma rule Detecting SQL Injection Attempts via URI to identify potential exploitation attempts against the /ajax.php?action=delete_product endpoint.
Inspect web server logs for requests to /ajax.php?action=delete_product containing suspicious characters or SQL keywords in the ID parameter, as detected by the Detecting SQL Injection in Pharmacy System Sigma rule.
Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in the SourceCodester Pharmacy Sales and Inventory System, mitigating the underlying issue.
Restrict access to the database server and sensitive data to only authorized personnel, reducing the potential impact of a successful SQL injection attack.
Monitor database logs for suspicious activity, such as unauthorized data access or modification, which may indicate successful exploitation of CVE-2026-7199.

Online Lot Reservation System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 15:16:21 +0000

A SQL injection vulnerability, identified as CVE-2026-7131, has been discovered in code-projects Online Lot Reservation System version 1.0 and earlier. This vulnerability is located in the /loginuser.php file and can be exploited by manipulating the email and password arguments. Successful exploitation could allow a remote attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is remotely exploitable and a public exploit is available, increasing the risk of exploitation. Due to the sensitive nature of lot reservation data, organizations using this system are at risk of significant data compromise.

Attack Chain

An attacker identifies a vulnerable instance of code-projects Online Lot Reservation System version 1.0.
The attacker crafts a malicious HTTP request targeting the /loginuser.php file.
Within the request, the attacker injects SQL code into the email or password parameters.
The application fails to properly sanitize the input, passing the malicious SQL code to the database.
The database executes the injected SQL code, treating it as a legitimate query.
The attacker gains unauthorized access to the database, potentially reading sensitive information such as user credentials, reservation details, or financial data.
The attacker may modify or delete data within the database, disrupting the system’s functionality.
The attacker can potentially use the compromised database to pivot to other systems or escalate privileges within the network.

Impact

Successful exploitation of CVE-2026-7131 can result in unauthorized access to sensitive data within the Online Lot Reservation System. This could include user credentials, reservation details, and financial information. The vulnerability affects systems running code-projects Online Lot Reservation System up to version 1.0. Due to the availability of a public exploit, the risk of exploitation is elevated. A successful attack could lead to data breaches, financial loss, and reputational damage.

Recommendation

Apply appropriate input validation and sanitization techniques to prevent SQL injection attacks within the /loginuser.php file.
Deploy the Sigma rule Detect SQL Injection Attempt via Login to identify potential exploitation attempts against the /loginuser.php endpoint.
Monitor web server logs for suspicious requests targeting the /loginuser.php file, specifically looking for SQL syntax within the email or password parameters.
Review and harden database access controls to limit the impact of successful SQL injection attacks.
Implement a web application firewall (WAF) with rules to detect and block SQL injection attempts.
Disable Javascript to ensure complete website functionality.

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 06:16:03 +0000

SourceCodester Pharmacy Sales and Inventory System version 1.0 is susceptible to SQL injection. The vulnerability resides in the /ajax.php?action=save_receiving file, where manipulation of the ID argument can lead to arbitrary SQL command execution. This vulnerability allows remote attackers to compromise the application’s database. The exploit is publicly available, increasing the risk of exploitation. This vulnerability allows attackers to read, modify, or delete sensitive data, potentially leading to complete system compromise.

Attack Chain

The attacker identifies a vulnerable instance of SourceCodester Pharmacy Sales and Inventory System version 1.0.
The attacker crafts a malicious HTTP request targeting the /ajax.php?action=save_receiving endpoint.
The attacker injects a SQL payload into the ID parameter of the request.
The web server processes the request and passes the injected SQL query to the database.
The database executes the malicious SQL query, potentially returning sensitive data to the attacker.
The attacker may use the SQL injection to bypass authentication, allowing them to access administrative functions.
The attacker may use the SQL injection to modify inventory data, manipulate sales records, or create fraudulent transactions.
The attacker may use the SQL injection to exfiltrate sensitive data such as customer information, financial records, and administrator credentials.

Impact

Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data, modification of inventory and sales records, and potentially full control of the application and underlying server. This could result in financial loss, reputational damage, and legal repercussions for affected organizations. Given the public availability of the exploit, the risk of widespread exploitation is high. The impact could include data breaches, financial fraud, and complete system compromise.

Recommendation

Deploy the Sigma rule Detecting SQL Injection Attempts via URI to identify malicious requests targeting the vulnerable endpoint.
Apply input validation and sanitization to the ID parameter in the /ajax.php?action=save_receiving file to prevent SQL injection attacks.
Monitor web server logs for suspicious activity, such as error messages or unusual requests targeting the /ajax.php?action=save_receiving endpoint (webserver log source).
Upgrade to a patched version of the application or implement a web application firewall (WAF) rule to block malicious requests.
Implement least privilege principles for database access to limit the impact of successful SQL injection attacks.

itsourcecode Construction Management System SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 02:16:01 +0000

A SQL injection vulnerability has been identified in itsourcecode Construction Management System version 1.0. The vulnerability resides within the /locations.php file and is triggered by manipulating the address argument. This allows a remote attacker to inject arbitrary SQL commands into the application’s database queries. This poses a significant risk as successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire system. The vulnerability has been assigned CVE-2026-7075, and a public exploit is available, increasing the likelihood of exploitation.

Attack Chain

Attacker identifies an instance of itsourcecode Construction Management System 1.0.
Attacker sends a crafted HTTP request to /locations.php with a malicious SQL payload embedded in the address parameter.
The application fails to properly sanitize the address parameter.
The unsanitized input is incorporated into an SQL query.
The database executes the attacker-controlled SQL query.
The attacker extracts sensitive data from the database.
Attacker may use the injected queries to modify or delete data.
The attacker compromises the confidentiality, integrity, and availability of the Construction Management System.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7075) can lead to unauthorized access to sensitive data, including user credentials, financial records, and project details stored within the Construction Management System database. Attackers could potentially modify or delete critical data, disrupt business operations, or gain complete control over the application and its underlying infrastructure. Given the public availability of the exploit, organizations using the affected version of itsourcecode Construction Management System are at immediate risk.

Recommendation

Deploy the provided Sigma rule to detect suspicious HTTP requests to /locations.php containing potentially malicious SQL syntax in the cs-uri-query (webserver logs).
Implement input validation and sanitization for the address parameter in /locations.php to prevent SQL injection attacks.
Monitor web server logs for unusual activity, especially requests targeting /locations.php with long or complex address parameters.

CodePanda Source canteen_management_system SQL Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 01:16:16 +0000

A SQL injection vulnerability has been identified in CodePanda Source canteen_management_system version 1.0. The vulnerability resides in the /api/login.php file and is triggered by manipulating the Username argument. This allows a remote attacker to inject arbitrary SQL commands into the application’s database queries. Public exploits are available, increasing the risk of exploitation. Successful exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire application and its underlying database. The affected version is 1.0, and there are no known mitigations other than patching or taking the system offline.

Attack Chain

The attacker identifies a CodePanda Source canteen_management_system version 1.0 instance accessible over the network.
The attacker sends a crafted HTTP POST request to /api/login.php with a malicious SQL payload in the Username parameter.
The application fails to properly sanitize the Username input before incorporating it into an SQL query.
The injected SQL code is executed against the application’s database.
The attacker uses SQL injection techniques such as UNION SELECT to extract sensitive data from the database.
The extracted data, which may include usernames, passwords, and other confidential information, is sent back to the attacker.
The attacker uses the compromised credentials to gain unauthorized access to the application’s administrative interface.

Impact

Successful exploitation of this SQL injection vulnerability could allow attackers to read sensitive data, modify existing records, or even execute arbitrary code on the database server. This could lead to a complete compromise of the application and its underlying data. Given the nature of a canteen management system, potential data breaches could include personal information of employees or customers, financial data related to transactions, and internal operational details. The impact may be amplified if the database stores other sensitive information, leading to significant financial and reputational damage.

Recommendation

Inspect web server logs for POST requests to /api/login.php containing SQL syntax within the Username parameter to detect potential exploitation attempts (see example rule below).
Apply input validation and sanitization to all user-supplied input, especially the Username parameter in /api/login.php, to prevent SQL injection.
Monitor database logs for unusual or unauthorized SQL queries originating from the application to identify potential breaches resulting from SQL injection.

SQL Injection Vulnerability in code-projects Inventory Management System 1.0

hello@craftedsignal.io — Mon, 27 Apr 2026 01:16:15 +0000

A SQL injection vulnerability has been identified in code-projects Inventory Management System version 1.0. The vulnerability resides within the Login component and is triggered by manipulating the Username argument. Successful exploitation allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized access to sensitive data, modification of existing records, or even complete database takeover. The vulnerability, identified as CVE-2026-7070, has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to organizations using the affected Inventory Management System, potentially leading to data breaches and financial losses.

Attack Chain

The attacker identifies a login form within the code-projects Inventory Management System 1.0.
The attacker crafts a malicious SQL injection payload within the Username field of the login form.
The attacker submits the crafted payload through an HTTP POST request to the login endpoint.
The application fails to properly sanitize or validate the input provided in the Username field.
The unsanitized input is directly incorporated into an SQL query executed against the backend database.
The injected SQL code modifies the intended query, allowing the attacker to bypass authentication or extract data.
The database server executes the modified SQL query, potentially returning sensitive information to the attacker or allowing unauthorized data manipulation.

Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive inventory data, customer information, and financial records. Data modification can lead to incorrect inventory levels, disrupted operations, and financial losses. In a worst-case scenario, the attacker could gain complete control over the database server, leading to a full system compromise. This vulnerability impacts organizations using code-projects Inventory Management System 1.0, potentially affecting their reputation, financial stability, and customer trust.

Recommendation

Deploy the Sigma rule Detect SQL Injection Attempts in Web Logs to identify potential exploitation attempts targeting the Username field in web server logs.
Apply input validation and sanitization to the Username field in the Login component of code-projects Inventory Management System 1.0 to mitigate CVE-2026-7070.
Monitor web server logs for unusual SQL syntax or error messages indicative of SQL injection attempts based on the Detect SQL Injection Attempts in Web Logs Sigma rule.

code-projects Employee Management System SQL Injection Vulnerability (CVE-2026-7063)

hello@craftedsignal.io — Sun, 26 Apr 2026 23:16:21 +0000

A SQL injection vulnerability, identified as CVE-2026-7063, has been discovered in code-projects Employee Management System version 1.0. The vulnerability resides within the /370project/process/eprocess.php file, specifically affecting the pwd argument. Successful exploitation allows a remote attacker to inject and execute arbitrary SQL commands against the application’s database. Given that the exploit is publicly available, organizations using this system are at immediate risk of unauthorized data access, modification, or deletion. The affected component is the endpoint processing user input, making it a critical point of failure if not properly secured. This vulnerability poses a significant threat due to its ease of exploitation and potential for widespread data compromise.

Attack Chain

The attacker identifies an instance of code-projects Employee Management System 1.0 accessible over the network.
The attacker crafts a malicious HTTP request targeting the /370project/process/eprocess.php endpoint.
Within the HTTP request, the attacker manipulates the pwd parameter, injecting SQL code within the parameter’s value.
The server-side code improperly sanitizes or validates the injected SQL code within the pwd parameter.
The application executes the attacker-controlled SQL query against the database.
The attacker bypasses authentication or gains elevated privileges through the successful SQL injection.
The attacker extracts sensitive data from the database, such as user credentials or financial records.
The attacker may modify or delete data within the database, leading to data corruption or denial of service.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7063) can lead to complete compromise of the affected Employee Management System. An attacker can gain unauthorized access to sensitive employee data, including personal information, salaries, and performance reviews. The attacker could modify or delete critical data, disrupt business operations, or use the compromised system as a launchpad for further attacks within the organization’s network. Given the public availability of the exploit, organizations failing to address this vulnerability are at a high risk of experiencing a data breach and associated financial and reputational damage.

Recommendation

Inspect web server logs for suspicious POST requests to /370project/process/eprocess.php containing SQL syntax in the pwd parameter to identify potential exploitation attempts.
Deploy the provided Sigma rule to detect exploitation attempts targeting the vulnerable pwd parameter in the eprocess.php file.
Apply input validation and sanitization to the pwd parameter in /370project/process/eprocess.php to prevent SQL injection, addressing CVE-2026-7063.

KLiK SocialMediaWebsite SQL Injection Vulnerability (CVE-2026-7002)

hello@craftedsignal.io — Sun, 26 Apr 2026 14:30:00 +0000

KLiK SocialMediaWebsite version 1.0.1 and earlier is susceptible to a SQL injection vulnerability (CVE-2026-7002) affecting the Private Message Handler component. This vulnerability resides within the /includes/get_message_ajax.php file, and is triggered by manipulating the c_id argument. The attack can be launched remotely without authentication, potentially allowing unauthorized access to sensitive data within the application’s database. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential data breaches and unauthorized access to user information. The vulnerability was published on April 25, 2026.

Attack Chain

An attacker identifies a KLiK SocialMediaWebsite instance running version 1.0.1 or earlier.
The attacker crafts a malicious HTTP request targeting the /includes/get_message_ajax.php endpoint.
The attacker injects a SQL payload into the c_id parameter of the HTTP request.
The web server processes the request and passes the malicious SQL query to the database.
The database executes the injected SQL query without proper sanitization, leading to unintended data retrieval or modification.
The attacker retrieves sensitive information from the database, such as user credentials or private messages.
The attacker may use the stolen credentials to gain unauthorized access to user accounts.

Impact

Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data stored in the KLiK SocialMediaWebsite database. This could include user credentials, private messages, and other personal information. An attacker could potentially gain complete control over the application’s data, leading to data breaches, identity theft, and other malicious activities. Given the wide use of social media platforms, a successful attack could affect a large number of users.

Recommendation

Apply any available patches or updates for KLiK SocialMediaWebsite to address CVE-2026-7002.
Implement proper input validation and sanitization techniques to prevent SQL injection attacks.
Deploy the Sigma rule to detect attempts to exploit this SQL injection vulnerability by monitoring web server logs for suspicious requests targeting /includes/get_message_ajax.php with potentially malicious SQL payloads in the c_id parameter.
Monitor web server logs for HTTP requests to /includes/get_message_ajax.php containing SQL keywords (e.g., SELECT, UNION, UPDATE, INSERT, DELETE) in the c_id parameter.

PicoClaw Web Launcher Management Plane Command Injection Vulnerability

hello@craftedsignal.io — Sat, 25 Apr 2026 17:16:33 +0000

A command injection vulnerability exists in PicoClaw version 0.2.4, specifically affecting the /api/gateway/restart endpoint within the Web Launcher Management Plane component. This flaw allows unauthenticated remote attackers to inject and execute arbitrary commands on the underlying system. The vulnerability, identified as CVE-2026-6987, stems from improper neutralization of special elements in the input to the /api/gateway/restart function. The project maintainers were notified through an issue report, but as of the time of disclosure, no response or patch has been released. This vulnerability poses a significant risk, potentially leading to full system compromise.

Attack Chain

The attacker identifies a vulnerable PicoClaw instance running version 0.2.4.
The attacker crafts a malicious HTTP request targeting the /api/gateway/restart endpoint.
Within the request, the attacker injects OS commands into a parameter processed by the vulnerable function.
The PicoClaw application fails to properly sanitize the attacker-supplied input.
The application executes the injected commands with the privileges of the web server process.
The attacker gains arbitrary code execution on the server.
The attacker uses the initial foothold to escalate privileges, potentially gaining root access.
The attacker installs malware, exfiltrates sensitive data, or performs other malicious activities.

Impact

Successful exploitation of this command injection vulnerability allows a remote attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data theft, or denial of service. Given the nature of command injection, the attacker may be able to escalate privileges and gain full control over the server. The number of potential victims is unknown, but any PicoClaw installation running version 0.2.4 exposed to the network is at risk.

Recommendation

Apply available patches for PicoClaw as soon as they are released to remediate CVE-2026-6987.
Implement input validation and sanitization on the /api/gateway/restart endpoint to prevent command injection.
Deploy the Sigma rule Detect Suspicious PicoClaw Restart Requests to monitor for exploitation attempts.
Monitor web server logs for unusual activity or suspicious commands executed via HTTP requests, correlating with requests to /api/gateway/restart.
Consider using a web application firewall (WAF) to filter malicious requests targeting the /api/gateway/restart endpoint.

vanna-ai vanna Improper Authorization Vulnerability (CVE-2026-6977)

hello@craftedsignal.io — Sat, 25 Apr 2026 11:16:19 +0000

A security vulnerability, identified as CVE-2026-6977, has been discovered in vanna-ai vanna versions up to 2.0.2. The vulnerability resides within an unspecified function of the Legacy Flask API component. Successful exploitation of this flaw leads to improper authorization, potentially granting unauthorized access to sensitive resources or functionalities. The vulnerability is remotely exploitable and a proof-of-concept exploit is publicly available. The vendor was contacted but did not respond. This vulnerability poses a risk to systems utilizing the affected versions of vanna-ai vanna, as attackers could leverage it to bypass intended access controls.

Attack Chain

Attacker identifies a vulnerable vanna-ai vanna instance running version 2.0.2 or earlier.
Attacker crafts a malicious HTTP request targeting the Legacy Flask API. The specific endpoint and parameters involved are not defined in the source material.
The crafted request exploits the improper authorization vulnerability (CVE-2026-6977) within the Legacy Flask API.
Due to the improper authorization flaw, the attacker’s request bypasses the intended access controls.
The vulnerable application grants the attacker unauthorized access to resources or functionalities that should be restricted.
Depending on the accessed resources, the attacker may gain access to sensitive data, modify system settings, or perform other unauthorized actions.
The attacker may escalate privileges or move laterally within the affected system if further vulnerabilities exist or if the compromised application has elevated permissions.

Impact

Successful exploitation of CVE-2026-6977 allows a remote attacker to bypass authorization checks in vanna-ai vanna, potentially leading to unauthorized access to sensitive data or functionality. Given that a public exploit exists, organizations utilizing affected versions of vanna-ai vanna are at increased risk. The lack of vendor response further exacerbates the risk, as no official patch or mitigation guidance is available.

Recommendation

Monitor web server logs for suspicious activity targeting the Legacy Flask API in vanna-ai vanna, using a webserver category Sigma rule focused on unusual HTTP requests.
Apply generic hardening and input validation techniques to mitigate the impact of potential exploits targeting web applications.
Investigate and validate the activity from the VulDB references provided in this brief.

OpenClaw Cross-Site Request Forgery Vulnerability

hello@craftedsignal.io — Fri, 24 Apr 2026 12:00:00 +0000

OpenClaw before version 2026.3.31 is susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability lies in the lack of browser-origin validation within the HTTP operator endpoints when the application operates in trusted-proxy mode. This allows an attacker to craft malicious HTTP requests originating from a user’s browser to perform unauthorized actions within the OpenClaw application. Successful exploitation of this vulnerability enables attackers to execute privileged operations, potentially leading to data modification or unauthorized access to sensitive functionalities. This vulnerability requires the application to be deployed in trusted-proxy mode to be exploitable.

Attack Chain

An attacker crafts a malicious HTML page containing a forged HTTP request targeting a vulnerable OpenClaw HTTP operator endpoint.
The attacker hosts the malicious HTML page on a website or delivers it through phishing.
A victim user, authenticated to the OpenClaw application, visits the malicious HTML page in their browser.
The victim’s browser automatically sends the forged HTTP request to the vulnerable OpenClaw endpoint.
Because the OpenClaw application lacks proper browser-origin validation, it processes the forged request.
The attacker is able to perform unauthorized actions as the authenticated user.
The attacker can modify user configurations or exfiltrate data.

Impact

Successful exploitation of this CSRF vulnerability in OpenClaw can lead to unauthorized modification of application settings, data manipulation, or even complete account takeover. While specific victim numbers are unavailable, the impact extends to any organization utilizing OpenClaw in a trusted-proxy deployment scenario. The vulnerability can potentially compromise data integrity and confidentiality, leading to significant operational disruptions.

Recommendation

Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41347.
Deploy the Sigma rule below to detect suspicious HTTP requests lacking proper origin validation within your web server logs.
Implement proper CSRF protection mechanisms, such as synchronizer tokens, in OpenClaw’s HTTP operator endpoints.

Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

Xerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a ‘.php4’ extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.

Attack Chain

An unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.
The attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.
The attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.
The attacker uploads a malicious PHP file disguised with a ‘.php4’ extension, bypassing the incomplete input validation.
The server saves the malicious PHP file to the specified directory.
The attacker sends another HTTP request to directly access the uploaded PHP file via its URL.
The web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.
The attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.

Recommendation

Upgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.
Implement the Sigma rule “Detect Suspicious PHP4 Uploads” to identify potential exploitation attempts by monitoring web server logs for ‘.php4’ file uploads.
Review web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.
Monitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.

Daptin SQL Injection Vulnerability in Aggregate API

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

Daptin versions prior to 0.11.4 are susceptible to a SQL injection vulnerability in the /aggregate/:typename endpoint. The vulnerability arises because the application fails to properly validate the column and group query parameters before passing them to goqu.L(). This function is used to build raw SQL literal expressions, thus bypassing parameterization and allowing attackers to inject arbitrary SQL code. Any authenticated user, regardless of privilege level, can exploit this vulnerability. This poses a significant risk as it enables unauthorized data extraction, disclosure of database internals, and cross-table data exfiltration. The vulnerability was reported on 2026-04-22 and assigned CVE-2026-41422.

Attack Chain

An attacker authenticates to the Daptin application with valid credentials.
The attacker crafts a malicious HTTP GET request targeting the /aggregate/:typename endpoint.
The attacker injects a SQL payload into the column or group query parameters. For example, column=(SELECT group_concat(email) FROM user_account) as leak.
The Daptin application receives the request and passes the unvalidated column parameter to the goqu.L() function in server/resource/resource_aggregate.go.
The goqu.L() function constructs a raw SQL query using the attacker-controlled input, bypassing any parameterization.
The malicious SQL query is executed against the database.
The attacker retrieves the injected SQL query’s result from the application’s response, which contains sensitive data.
The attacker exfiltrates the extracted data, potentially including user credentials, internal database schema details, or other confidential information.

Impact

Successful exploitation of this SQL injection vulnerability allows attackers to perform unauthorized data extraction, including sensitive information like user credentials. An attacker can also disclose database internals and exfiltrate data from multiple tables, even with low-privilege access. The impact includes potential data breaches, compliance violations, and reputational damage. The vulnerability was confirmed to allow extraction of user_account.email values by a non-admin user.

Recommendation

Upgrade Daptin to version 0.11.4 or later to patch the SQL injection vulnerability (CVE-2026-41422).
Deploy the provided Sigma rule Detect Daptin Aggregate API SQL Injection to identify exploitation attempts in web server logs.
If upgrading is not immediately feasible, implement input validation on the column and group parameters in the /aggregate/:typename endpoint, specifically blocking SQL keywords and functions to mitigate the risk.

SiYuan Path Traversal via Double URL Encoding in `/export/` Endpoint

hello@craftedsignal.io — Wed, 22 Apr 2026 20:55:31 +0000

SiYuan is vulnerable to a path traversal vulnerability (CVE-2026-30869) due to a redundant url.PathUnescape() call within the serveExport() function. The vulnerability exists in versions prior to 3.6.5. This flaw allows an authenticated attacker, including low-privilege users with Publish/Reader roles, to bypass intended security restrictions and access sensitive files stored within the SiYuan workspace. The initial fix attempted with IsSensitivePath() proved insufficient as it did not address the core issue of double URL decoding. An attacker can exploit this vulnerability by using double URL encoded characters in a crafted HTTP request, allowing them to read arbitrary files such as the complete SQLite document database (siyuan.db), kernel logs, and other critical files.

Attack Chain

An authenticated attacker sends a GET request to the /export/ endpoint with a double URL encoded path, such as /export/%252e%252e/siyuan.db.
The Go HTTP server decodes the initial layer of URL encoding, transforming %25 into %, resulting in a path like /export/%2e%2e/siyuan.db.
The path cleaner does not recognize %2e%2e as directory traversal, so it passes through.
The serveExport() function then calls url.PathUnescape() on the path, decoding %2e%2e into ...
The filepath.Join() function concatenates the exportBaseDir with the now decoded path, e.g., /../siyuan.db.
The IsSensitivePath() check fails to block the request because it doesn’t account for the decoded path or specific database files in the temp/ directory.
The attacker successfully retrieves the contents of the siyuan.db file, which contains the complete document database.
The attacker repeats the process to access other sensitive files within the workspace, such as siyuan.log, blocktree.db, and asset_content.db.

Impact

Successful exploitation of this vulnerability allows an attacker to exfiltrate sensitive data, including the entire SQLite document database, potentially containing all user documents, attributes, and search indexes. The attacker can also access the kernel log, which may contain internal server paths, versions, configuration details, and error messages. This information disclosure could lead to further compromise of the system. While the number of victims is unknown, any SiYuan instance running a version prior to 3.6.5 is potentially vulnerable.

Recommendation

Upgrade SiYuan to version 3.6.5 or later to remediate the vulnerability.
Deploy the provided Sigma rule Detect SiYuan Path Traversal Attempt to detect attempts to exploit this vulnerability by monitoring for double URL encoded characters in requests to the /export/ endpoint.
Monitor web server logs for requests to the /export/ endpoint containing %252e%252e to identify potential exploitation attempts.
Consider implementing a more robust path validation mechanism within the serveExport() function that properly handles URL decoding and directory traversal attempts.

FreeScout Incorrect Authorization Vulnerability via Save Draft

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

FreeScout is a self-hosted help desk and shared mailbox platform. Prior to version 1.8.215, a vulnerability exists related to authorization controls when the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS setting is enabled. Specifically, the save_draft AJAX endpoint lacks proper authorization checks. This allows an attacker to potentially bypass intended access restrictions and create drafts within conversations that they should not be able to access, leading to unauthorized modification or viewing of conversation data. This vulnerability was addressed in version 1.8.215.

Attack Chain

Attacker identifies a FreeScout instance running a version prior to 1.8.215 with APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS enabled.
Attacker authenticates to the FreeScout instance with a valid, but unauthorized user account.
Attacker identifies the conversation ID of a conversation they are not assigned to and cannot normally access via the UI.
Attacker crafts a POST request to the /index.php?m=conversations&a=save_draft endpoint, including the conversation ID and the draft content they wish to create.
The server, lacking proper authorization checks on the save_draft endpoint, accepts the POST request.
A draft is created within the targeted conversation, associated with the attacker’s user account.
The attacker, or potentially other unauthorized users who later gain access to the attacker’s account, can view or modify the drafted content, potentially exfiltrating sensitive information.

Impact

Successful exploitation of this vulnerability allows unauthorized users to create drafts within conversations they are not assigned to. This could lead to the unauthorized viewing or modification of sensitive information contained within the conversations, potentially leading to data breaches or compliance violations. The vulnerability affects FreeScout instances running versions prior to 1.8.215 with the specific APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS setting enabled.

Recommendation

Upgrade FreeScout to version 1.8.215 or later to remediate the vulnerability (references: https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215).
Monitor web server logs for POST requests to the /index.php?m=conversations&a=save_draft endpoint originating from unusual IP addresses or user agents using the Sigma rule provided below.
Implement web application firewall (WAF) rules to filter or block unauthorized POST requests to the vulnerable endpoint.

Vvveb CMS 1.0.8 Remote Code Execution via Malicious Upload

hello@craftedsignal.io — Tue, 21 Apr 2026 12:00:00 +0000

Vvveb CMS version 1.0.8 is susceptible to a remote code execution (RCE) vulnerability (CVE-2026-6249) due to insufficient input validation in the media upload handler. An authenticated attacker can exploit this flaw by uploading a malicious PHP webshell disguised with a .phtml extension, which bypasses the server’s intended extension deny-list. The uploaded webshell is then accessible within the publicly available media directory. By crafting a specific HTTP request to access the uploaded .phtml file, the attacker can trigger the execution of arbitrary operating system commands on the server, leading to a complete compromise of the system. This vulnerability poses a significant threat to organizations utilizing Vvveb CMS 1.0.8, potentially enabling attackers to steal sensitive data, disrupt services, or establish a persistent foothold within the network.

Attack Chain

The attacker authenticates to the Vvveb CMS 1.0.8 instance.
The attacker accesses the media upload functionality within the CMS.
The attacker uploads a malicious PHP webshell file, named with a .phtml extension, crafted to execute operating system commands.
The CMS stores the uploaded .phtml file in the publicly accessible media directory.
The attacker crafts an HTTP request targeting the uploaded .phtml file in the media directory.
The web server executes the PHP code within the .phtml file upon receiving the attacker’s HTTP request.
The PHP code executes arbitrary operating system commands, as defined by the attacker in the webshell.
The attacker gains complete control of the server, potentially leading to data theft, service disruption, or persistent access.

Impact

Successful exploitation of CVE-2026-6249 allows an attacker to execute arbitrary operating system commands on the Vvveb CMS server. This could lead to a full compromise of the system, including the theft of sensitive data stored in the CMS database, modification of website content, or the deployment of malicious software. Organizations using Vvveb CMS 1.0.8 are at risk of data breaches, financial losses, and reputational damage if this vulnerability is exploited.

Recommendation

Upgrade Vvveb CMS to a patched version that addresses CVE-2026-6249.
Implement strict input validation and sanitization on all file upload functionalities to prevent the upload of malicious files.
Configure the web server to prevent the execution of PHP code within the media directory.
Deploy the Sigma rule Detect Suspicious PHTML Request to identify attempts to access .phtml files in the media directory.
Monitor web server logs for suspicious HTTP requests targeting unusual file extensions in media directories.

Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)

hello@craftedsignal.io — Mon, 20 Apr 2026 12:16:09 +0000

A critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the tool_call function located in the apps/experimental/tools_webhook/app.py file of the tools_webhook component. The vulnerability stems from the improper handling of the X-Tools-JWE argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.

Attack Chain

Attacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.
The attacker crafts a malicious HTTP request targeting the tool_call function.
Within the HTTP request, the attacker manipulates the X-Tools-JWE argument with a crafted payload designed to bypass authentication checks.
The vulnerable tool_call function fails to properly validate the manipulated X-Tools-JWE argument.
The application grants the attacker unauthorized access based on the bypassed authentication.
The attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.
Depending on the application’s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.

Impact

Successful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application’s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.

Recommendation

Apply appropriate input validation to X-Tools-JWE argument using tool_call function within apps/experimental/tools_webhook/app.py to prevent improper authentication (CVE-2026-6635).
Deploy the Sigma rule Detect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation to detect exploitation attempts.
Monitor web server logs for HTTP requests targeting the tool_call function with unusual X-Tools-JWE values.

Metasoft MetaCRM SQL Injection Vulnerability (CVE-2026-6629)

hello@craftedsignal.io — Mon, 20 Apr 2026 11:16:18 +0000

A SQL injection vulnerability, identified as CVE-2026-6629, has been discovered in Metasoft 美特软件 MetaCRM versions up to 6.4.0. The vulnerability resides within the sql.jsp file, specifically affecting the Statement.executeUpdate function of the Interface component. The vulnerability allows remote attackers to inject arbitrary SQL commands by manipulating the sql argument. Public exploit code is available, increasing the risk of exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat to organizations using the affected MetaCRM versions, potentially leading to data breaches, system compromise, and unauthorized access.

Attack Chain

An attacker identifies a Metasoft MetaCRM instance running a vulnerable version (<= 6.4.0).
The attacker crafts a malicious HTTP request targeting the sql.jsp file.
Within the HTTP request, the attacker manipulates the sql parameter to inject SQL code.
The crafted SQL injection payload is passed to the Statement.executeUpdate function.
The application executes the attacker-controlled SQL query against the underlying database.
The database server executes the malicious SQL command.
The attacker can read sensitive data from the database, modify existing data, or execute administrative commands.
The attacker gains unauthorized access to the system, potentially leading to complete system compromise or data exfiltration.

Impact

Successful exploitation of this SQL injection vulnerability can lead to a range of severe consequences, including unauthorized data access, data modification, and complete system compromise. Attackers could steal sensitive customer data, financial records, or intellectual property. They might also be able to modify existing data to cause financial losses or disrupt business operations. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available. The CVSS score of 7.3 reflects the high potential impact of this vulnerability.

Recommendation

Inspect web server logs for suspicious POST requests targeting sql.jsp with potentially malicious SQL queries in the sql parameter to detect exploitation attempts. Reference the Sigma rule Detect-Metasoft-MetaCRM-SQL-Injection.
Deploy the Sigma rule Detect-Metasoft-MetaCRM-SQL-Error to detect SQL errors that may indicate injection attempts.
Apply input validation and sanitization to the sql parameter in sql.jsp to prevent SQL injection. This requires modifying the application code.
Monitor network traffic for unusual database activity originating from the web server, such as large data transfers or unauthorized access attempts.

Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5964)

hello@craftedsignal.io — Mon, 20 Apr 2026 08:16:10 +0000

EasyFlow .NET, a product developed by Digiwin, is affected by a critical SQL Injection vulnerability (CVE-2026-5964). This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands into the application’s database queries. This can lead to the unauthorized reading, modification, or deletion of sensitive database contents. The vulnerability poses a significant risk, as it requires no prior authentication and can be exploited remotely. Public reports detailing the vulnerability were released in April 2026, and exploitation attempts are anticipated to increase. Defenders should prioritize patching and implementing detection mechanisms to mitigate potential exploitation.

Attack Chain

An unauthenticated attacker identifies an EasyFlow .NET instance exposed to the internet.
The attacker crafts a malicious HTTP request containing SQL injection payloads within a vulnerable parameter.
The EasyFlow .NET application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL command, potentially revealing sensitive data.
The attacker extracts data from the database, such as user credentials or proprietary information.
The attacker leverages the SQL injection to modify database records, such as escalating privileges or injecting malicious code.
The attacker may delete data from the database, leading to denial of service or data loss.

Impact

Successful exploitation of this SQL Injection vulnerability allows unauthenticated attackers to read, modify, and delete data within the EasyFlow .NET database. This can lead to the compromise of sensitive information, including user credentials, financial data, and proprietary business information. Modified data can disrupt business operations or facilitate further attacks. Data deletion can cause significant data loss and system instability. Due to the critical nature of the vulnerability and the ease of exploitation, organizations using EasyFlow .NET are at high risk.

Recommendation

Apply the patch or upgrade to the latest version of EasyFlow .NET provided by Digiwin to remediate CVE-2026-5964.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts in HTTP Requests” to identify exploitation attempts targeting web servers.
Implement input validation and parameterized queries to prevent SQL injection vulnerabilities in web applications.
Monitor web server logs for suspicious HTTP requests containing common SQL injection keywords.

liangliangyy DjangoBlog Hardcoded Cryptographic Key Vulnerability (CVE-2026-6580)

hello@craftedsignal.io — Sun, 19 Apr 2026 23:16:33 +0000

A critical security vulnerability, CVE-2026-6580, has been identified in liangliangyy DjangoBlog, specifically versions up to 2.1.0.0. The flaw resides within the Amap API Call Handler in the owntracks/views.py file. By manipulating the key argument during API calls, a remote attacker can force the application to use a hard-coded cryptographic key. This vulnerability allows unauthorized access or modification of data that relies on this key for security. The exploit is publicly available, increasing the risk of widespread exploitation. The vendor has been notified but has not provided a response or patch.

Attack Chain

Attacker identifies a vulnerable DjangoBlog instance running a version up to 2.1.0.0.
The attacker crafts a malicious HTTP request targeting the Amap API Call Handler (owntracks/views.py).
The crafted request includes a manipulated key argument.
The DjangoBlog application processes the request and, due to the vulnerability, uses the hard-coded cryptographic key.
The attacker leverages the hard-coded key to bypass authentication or authorization checks.
The attacker gains unauthorized access to sensitive data or functionality protected by the Amap API.
The attacker potentially modifies data or performs actions on behalf of legitimate users.

Impact

Successful exploitation of CVE-2026-6580 allows attackers to bypass authentication, potentially leading to unauthorized data access, data modification, or complete system compromise. This could affect all users of the DjangoBlog instance. Given the availability of a public exploit, unpatched systems are at high risk of being targeted.

Recommendation

Inspect web server logs for requests targeting owntracks/views.py with unusual key parameter values to detect potential exploitation attempts (see the Sigma rule below).
Apply a patch as soon as it becomes available from the vendor to remediate CVE-2026-6580.
Implement input validation and sanitization for the key parameter in the Amap API Call Handler to prevent exploitation (mitigation, not detection).

liangliangyy DjangoBlog Authentication Bypass Vulnerability (CVE-2026-6577)

hello@craftedsignal.io — Sun, 19 Apr 2026 20:16:28 +0000

CVE-2026-6577 is an authentication bypass vulnerability affecting liangliangyy DjangoBlog versions up to 2.1.0.0. The vulnerability exists within an unknown function of the owntracks/views.py file related to the logtracks endpoint. Due to missing authentication, a remote attacker can inject arbitrary GPS data without proper authorization. This can lead to manipulation of location data, unauthorized access to location-based features, and potentially further compromise of the application. A public exploit for this vulnerability is available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using DjangoBlog, potentially impacting data integrity and confidentiality.

Attack Chain

The attacker identifies a DjangoBlog instance running a vulnerable version (<= 2.1.0.0).
The attacker crafts a malicious HTTP request targeting the /owntracks/views.py logtracks endpoint.
The malicious request injects arbitrary GPS data, bypassing the authentication mechanisms.
The DjangoBlog application processes the crafted request without proper authentication checks.
The injected GPS data is stored and associated with a user or device, potentially overwriting legitimate data.
The attacker gains unauthorized access to location-based features or data due to the injected GPS coordinates.
The attacker leverages the compromised location data to perform further malicious activities, such as tracking user movements or manipulating location-based services.

Impact

Successful exploitation of CVE-2026-6577 allows attackers to inject arbitrary GPS data into vulnerable DjangoBlog instances. This can lead to the manipulation of user location data, potentially impacting location-based services and features. An attacker can track user movements, access restricted resources based on location, or even impersonate legitimate users. Given the availability of a public exploit, unpatched DjangoBlog instances are at high risk of compromise, potentially affecting hundreds of deployments. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available.

Recommendation

Deploy the Sigma rule Detect Suspicious GPS Data Injection to your SIEM to identify exploitation attempts targeting the logtracks endpoint (logsource: webserver).
Inspect web server logs for requests to /owntracks/views.py with unusual parameters or patterns, potentially indicating malicious GPS data injection (logsource: webserver).
Monitor application logs for any anomalies related to GPS data processing or location-based services, which might be signs of successful exploitation (logsource: webserver).

osuuu LightPicture Hardcoded Credentials Vulnerability (CVE-2026-6574)

hello@craftedsignal.io — Sun, 19 Apr 2026 14:16:11 +0000

osuuu LightPicture, up to version 1.2.2, is vulnerable to a hardcoded credentials exposure vulnerability (CVE-2026-6574). This flaw resides within the API Upload Endpoint and is triggered when processing the /public/install/lp.sql file. An attacker can manipulate the key argument to exploit this vulnerability. The vendor has been notified about the vulnerability but has not responded. Public exploits are available, increasing the risk of exploitation. This vulnerability allows an attacker to potentially gain unauthorized access and control over the application.

Attack Chain

Attacker identifies an instance of osuuu LightPicture running version 1.2.2 or earlier.
The attacker crafts a malicious HTTP request targeting the API Upload Endpoint.
The request includes a modified key argument within the /public/install/lp.sql file path.
The application processes the crafted request without proper sanitization.
Due to the manipulated key argument, the application exposes hardcoded credentials.
The attacker retrieves the exposed hardcoded credentials from the server’s response.
The attacker leverages the acquired credentials to authenticate and gain unauthorized access to the application.
With unauthorized access, the attacker can perform malicious activities such as data theft, modification, or deletion.

Impact

Successful exploitation of CVE-2026-6574 can lead to complete compromise of the osuuu LightPicture application and potentially the underlying server. The vulnerability exposes hardcoded credentials, enabling attackers to bypass authentication and gain administrative privileges. The impact includes unauthorized access to sensitive data, modification of application settings, and potential disruption of service. The vulnerability affects all installations of osuuu LightPicture up to version 1.2.2.

Recommendation

Deploy the Sigma rule Detect Suspicious LP.SQL Access to identify attempts to access the vulnerable file (log source: webserver).
Apply input validation and sanitization to the key argument within the API Upload Endpoint to prevent manipulation (reference CVE-2026-6574).
Monitor web server logs for suspicious requests targeting the /public/install/lp.sql file with unusual parameters (log source: webserver).
If upgrading is not possible, implement a web application firewall (WAF) rule to block requests containing malicious patterns in the key argument (log source: firewall).

WeGIA SQL Injection Vulnerability (CVE-2026-40285)

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

WeGIA, a web manager for charitable institutions, is susceptible to a SQL injection vulnerability affecting versions prior to 3.6.10. This flaw, identified as CVE-2026-40285, resides in the dao/memorando/UsuarioDAO.php file. The vulnerability stems from the insecure handling of the cpf_usuario POST parameter within the DespachoControle::verificarDespacho() function, where the extract($_REQUEST) function overwrites the session-stored user identity. An attacker can then manipulate the cpf_usuario value, which is subsequently interpolated directly into a raw SQL query. This allows an authenticated user to execute arbitrary SQL queries with the privileges of an arbitrary user, potentially gaining unauthorized access to sensitive data. WeGIA version 3.6.10 addresses and resolves this critical vulnerability.

Attack Chain

An attacker authenticates to the WeGIA web application.
The attacker crafts a malicious HTTP POST request targeting the endpoint associated with DespachoControle::verificarDespacho().
The crafted POST request includes the cpf_usuario parameter with a SQL injection payload.
The extract($_REQUEST) function processes the POST data, overwriting the legitimate session-stored user identity with the attacker-controlled cpf_usuario value.
The application constructs a raw SQL query, directly interpolating the malicious cpf_usuario value into the query string without proper sanitization.
The database executes the crafted SQL query, effectively querying the database as an arbitrary user specified by the attacker in the cpf_usuario parameter.
The application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information.
The attacker can leverage the SQL injection to perform unauthorized data retrieval, modification, or deletion within the WeGIA application.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-40285) allows attackers to bypass authentication and access sensitive data within the WeGIA application. This could lead to the compromise of user accounts, financial records, or other confidential information managed by charitable institutions using WeGIA. The impact could range from data breaches and financial losses to reputational damage and legal repercussions for the affected organizations. The CVSS v3.1 base score of 8.8 indicates a high level of severity.

Recommendation

Upgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40285.
Deploy the following Sigma rule to detect exploitation attempts by monitoring for POST requests containing potentially malicious SQL injection payloads in the cpf_usuario parameter.
Implement input validation and sanitization measures for all user-supplied data, especially within the DespachoControle::verificarDespacho() function to prevent future SQL injection vulnerabilities.
Review web server logs for suspicious POST requests targeting WeGIA endpoints to identify potential exploitation attempts.

PraisonAI Multiple Backends Vulnerable to SQL Injection via Unvalidated Table Prefix

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

PraisonAI, a software application, contains a critical SQL injection vulnerability affecting nine of its conversation store backends, including MySQL, PostgreSQL, and others. The vulnerability stems from the improper handling of the table_prefix parameter, which is passed directly into SQL queries without adequate validation. Specifically, backends such as MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB are affected. In addition, the PostgreSQL backend is vulnerable due to the unvalidated schema parameter. This flaw allows an attacker to inject arbitrary SQL commands, potentially gaining unauthorized access to sensitive data. The incomplete fix for CVE-2026-40315 only addressed the SQLite backend, leaving other backends exposed. This vulnerability exists in PraisonAI versions 4.5.148 and earlier, as well as PraisonAI Agents versions 1.6.7 and earlier.

Attack Chain

An attacker identifies a PraisonAI instance where the table_prefix or schema (PostgreSQL) parameter is derived from external input (e.g., API request, user-modifiable configuration).
The attacker crafts a malicious table_prefix or schema string containing SQL injection payload (e.g., “x’; DROP TABLE users; –”).
The attacker injects the malicious table_prefix or schema via the vulnerable input vector.
The PraisonAI application receives the crafted table_prefix or schema and incorporates it into a dynamically generated SQL query without proper sanitization.
The application executes the malicious SQL query against the database.
The attacker’s injected SQL commands are executed, potentially allowing them to read, modify, or delete data within the database.
The attacker gains unauthorized access to sensitive data, such as user credentials, financial information, or other confidential data.
The attacker may escalate privileges, compromise other systems, or perform further malicious activities within the affected environment.

Impact

Successful exploitation of this vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The attacker can read sensitive data, modify existing records, inject malicious code, or even drop entire tables. This can result in significant data loss, financial damage, and reputational harm for affected organizations. This vulnerability is exploitable in any deployment where the table_prefix is derived from external input, such as in multi-tenant setups or API-driven configurations. The PostgreSQL schema parameter provides an additional injection point, further expanding the attack surface.

Recommendation

Apply input validation and sanitization to the table_prefix parameter in all database backends, mirroring the fix implemented for sqlite.py as described in the overview.
Apply input validation and sanitization to the schema parameter in the PostgreSQL backend, as noted in the overview.
Deploy the Sigma rule Detect Malicious Table Prefix to detect attempts to exploit this vulnerability in MySQL and PostgreSQL backends, as detailed below.
Upgrade PraisonAI to a version that includes proper input validation for table_prefix and schema parameters, targeting versions later than 4.5.148 for PraisonAI and later than 1.6.7 for PraisonAI Agents.

YesWiki Authenticated SQL Injection Vulnerability

hello@craftedsignal.io — Sat, 18 Apr 2026 01:00:30 +0000

YesWiki versions 4.6.0 and earlier are vulnerable to SQL injection in the bazar module. This vulnerability exists in tools/bazar/services/EntryManager.php within the formatDataBeforeSave() function. The $data['id_fiche'] value, derived from the $_POST['id_fiche'] parameter, is directly concatenated into a raw SQL query without proper sanitization. An authenticated attacker can exploit this by sending a crafted POST request to the /api/entries/{formId} endpoint. Successful exploitation enables time-based blind SQL injection, potentially leading to complete database compromise. The vulnerability was confirmed using a Docker PoC demonstrating the ability to induce a time delay using the SLEEP() function within the injected SQL.

Attack Chain

Attacker authenticates to the YesWiki application as any user. This requires a valid wikini_session cookie.
Attacker crafts a POST request to /api/entries/{formId}, where {formId} is the ID of an existing bazar form.
The POST request includes the id_fiche parameter with a malicious SQL payload, such as ' OR SLEEP(3) OR '.
ApiController::createEntry() processes the request and calls isEntry($_POST['id_fiche']).
Since the injected SQL will likely not correspond to an existing entry, the create() method is invoked.
The create() method calls formatDataBeforeSave(), which contains the SQL injection vulnerability at line 704 in EntryManager.php.
The injected SQL payload is executed by the database server via dbService->loadSingle(), without proper escaping or parameterization.
If successful, the attacker can extract sensitive information from the database, such as usernames, passwords, and other confidential data. They can also modify data within the database.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the complete compromise of the YesWiki database. This includes the potential to access and exfiltrate sensitive data, such as user credentials, configuration details, and business-critical information. Attackers can also modify or delete data, leading to data integrity issues and service disruption. Since any authenticated user can trigger the vulnerability, the impact is widespread. The vulnerability affects composer/yeswiki/yeswiki versions 4.6.0 and earlier.

Recommendation

Apply the provided patch in tools/bazar/services/EntryManager.php by escaping the $data['id_fiche'] value before using it in the SQL query (see Proposed Fix in Content section).
Deploy the Sigma rule “Detect YesWiki SQL Injection Attempt via API Entries” to detect attempts to exploit this vulnerability via suspicious id_fiche POST data.
Monitor web server logs for POST requests to /api/entries/* with unusually long or complex id_fiche parameters, as this could indicate a SQL injection attempt.
Review and audit all database queries within the YesWiki application to identify and remediate any other potential SQL injection vulnerabilities.

Movary SSRF Vulnerability (CVE-2026-40348)

hello@craftedsignal.io — Sat, 18 Apr 2026 00:16:38 +0000

Movary, a self-hosted web application for tracking and rating movies, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-40348) in versions prior to 0.71.1. This flaw allows authenticated users to manipulate the /settings/jellyfin/server-url-verify endpoint to initiate server-side HTTP requests to arbitrary internal targets. The application uses the Guzzle HTTP client to send requests based on a user-supplied URL, to which /system/info/public is appended. The absence of input validation on the target URL allows attackers to bypass intended restrictions and access internal network resources. This vulnerability enables threat actors to perform internal reconnaissance activities such as host discovery, port scanning, and service fingerprinting. Successful exploitation can lead to further compromise by exposing internal administrative interfaces or cloud metadata endpoints.

Attack Chain

An attacker authenticates to the Movary web application with a valid user account.
The attacker crafts a malicious URL targeting an internal resource, such as http://127.0.0.1/.
The attacker sends a POST request to /settings/jellyfin/server-url-verify with the crafted URL as the serverUrl parameter.
The Movary server receives the request and appends /system/info/public to the user-provided URL.
The Movary server uses the Guzzle HTTP client to initiate an HTTP request to the modified URL (e.g., http://127.0.0.1/system/info/public).
The internal service at the targeted IP address responds to the Movary server.
Based on the HTTP response code and content, the attacker can infer the existence and status of internal services. This allows for port scanning and service fingerprinting.
The attacker leverages discovered services to escalate privileges, potentially accessing sensitive data or internal administrative panels.

Impact

Successful exploitation of the SSRF vulnerability (CVE-2026-40348) in Movary can enable attackers to discover internal network infrastructure and identify vulnerable services. This can allow attackers to gain unauthorized access to sensitive information, pivot to other internal systems, or perform other malicious activities. Although no specific victim count is given, the impact of this vulnerability is potentially high for any organization using a vulnerable version of Movary.

Recommendation

Upgrade Movary to version 0.71.1 or later to patch the SSRF vulnerability (CVE-2026-40348).
Deploy the Sigma rule Detect Movary SSRF Attempt to identify potential exploitation attempts in web server logs.
Implement network segmentation and access controls to restrict access to sensitive internal services, limiting the impact of potential SSRF attacks.

Movary Privilege Escalation Vulnerability (CVE-2026-40349)

hello@craftedsignal.io — Sat, 18 Apr 2026 00:16:38 +0000

Movary is a self-hosted web application designed for users to track and rate movies they have watched. Prior to version 0.71.1, the application contains a privilege escalation vulnerability (CVE-2026-40349). An authenticated user could modify their account to gain administrative privileges without proper authorization. This is achieved by sending a PUT request to the /settings/users/{userId} endpoint with the isAdmin field set to true. This vulnerability exists because the application fails to implement sufficient authorization checks before updating the sensitive isAdmin field. Version 0.71.1 addresses this issue, mitigating the risk of unauthorized privilege escalation. The vulnerable versions expose self-hosted Movary instances to potential compromise.

Attack Chain

An attacker gains initial access to a Movary instance with a valid, non-administrative user account.
The attacker identifies the vulnerable /settings/users/{userId} endpoint that manages user profile settings.
The attacker crafts a PUT request to /settings/users/{userId}, substituting {userId} with their own user ID.
The PUT request includes the parameter isAdmin=true within the request body, attempting to modify the user’s privilege level.
The Movary server processes the PUT request without performing adequate authorization checks to verify the user’s authority to modify the isAdmin field.
The server updates the user’s account, setting the isAdmin flag to true, effectively granting the attacker administrative privileges.
The attacker logs out and back into the Movary instance.
Upon re-authentication, the attacker now possesses administrative privileges and can access and modify sensitive data, configurations, and potentially compromise the entire Movary instance.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full administrative control over a Movary instance. This could lead to unauthorized access to user data, modification or deletion of movies and ratings, and potentially complete compromise of the server hosting the application. The number of affected instances is unknown but depends on the number of deployments running vulnerable versions of Movary. The severity is high, as it allows a low-privilege user to gain complete control over the application.

Recommendation

Upgrade Movary instances to version 0.71.1 or later to remediate the vulnerability (references: Overview section).
Deploy the provided Sigma rule to detect suspicious PUT requests to /settings/users/{userId} attempting to modify the isAdmin parameter (references: Sigma rule below).
Implement input validation and authorization checks on the server-side to prevent unauthorized modification of sensitive user attributes (references: CVE-2026-40349 description).

WeGIA Stored Cross-Site Scripting Vulnerability (CVE-2026-40286)

hello@craftedsignal.io — Fri, 17 Apr 2026 21:16:34 +0000

WeGIA, a web manager for charitable institutions, is vulnerable to Stored Cross-Site Scripting (XSS) in versions prior to 3.6.10. The vulnerability, identified as CVE-2026-40286, resides in the ‘Member Registration’ function, specifically the ‘Member Name’ field. Attackers can inject malicious JavaScript code into this field. Because input is not properly validated and sanitized, the injected script is then stored in the application database. Any user accessing the profile containing the malicious script will have the script executed in their browser. This can lead to session hijacking, credential theft, or defacement. WeGIA version 3.6.10 addresses this vulnerability by implementing proper input sanitization. This vulnerability was reported on April 17, 2026.

Attack Chain

An attacker identifies a vulnerable WeGIA instance running a version prior to 3.6.10.
The attacker accesses the ‘Member Registration’ (Cadastrar Sócio) page.
In the ‘Member Name’ (Nome Sócio) field, the attacker injects a malicious JavaScript payload (e.g., ).
The attacker submits the registration form.
The WeGIA application stores the malicious payload in the database without proper sanitization.
A legitimate user navigates to a page displaying the compromised ‘Member Name’ field, such as a member profile page.
The malicious JavaScript code is executed within the user’s browser.
The attacker achieves their objective, such as stealing cookies or redirecting the user to a malicious website.

Impact

Successful exploitation of this XSS vulnerability could lead to a range of consequences, including account compromise, data theft, and website defacement. An attacker could steal session cookies and impersonate legitimate users, gaining unauthorized access to sensitive information. Due to the vulnerability residing in a web application, impact is limited to the users of the application, potentially exposing sensitive information and allowing threat actors the ability to modify the application.

Recommendation

Upgrade WeGIA installations to version 3.6.10 or later to remediate CVE-2026-40286.
Implement input validation and sanitization on all user-supplied data, especially in the ‘Member Name’ field, to prevent XSS attacks.
Deploy the Sigma rule title: "Detect WeGIA XSS Attempt via HTTP Request" to detect potential XSS payloads in HTTP requests.
Enable web server logging and monitor for suspicious activity, such as unusual characters or script tags in HTTP request parameters, to identify potential XSS attempts.

Weblate Improper Privilege Management via API Endpoint (CVE-2026-34393)

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

Weblate, a web-based localization tool, contains an improper privilege management vulnerability (CVE-2026-34393) affecting versions prior to 5.17. The vulnerability lies in the user patching API endpoint, which doesn’t adequately restrict the scope of edits allowed. An attacker with low privileges could potentially exploit this flaw to modify data or settings beyond their authorized permissions. This issue was reported and patched in Weblate version 5.17. Successful exploitation can lead to data integrity issues, unauthorized access to sensitive information, and potentially, complete compromise of the Weblate instance.

Attack Chain

Attacker authenticates to Weblate with a low-privileged user account.
Attacker identifies the user patching API endpoint (e.g., /api/users/).
Attacker crafts a malicious API request to modify attributes of a different user account, potentially an administrator.
The attacker submits the request to the vulnerable API endpoint, exploiting the lack of proper scope validation.
The Weblate server processes the request without correctly verifying the attacker’s authorization to modify the target user’s attributes.
The target user’s attributes are modified according to the attacker’s request, potentially elevating the attacker’s privileges or compromising the target user’s account.
The attacker leverages the elevated privileges to access sensitive data or perform unauthorized actions within the Weblate system.
Attacker maintains persistent access by creating new admin accounts or backdoors within the Weblate system.

Impact

Successful exploitation of CVE-2026-34393 can lead to significant data breaches, unauthorized modifications, and complete compromise of the Weblate instance. An attacker could gain administrative access, modify translations, and potentially inject malicious content into localized software. The number of affected installations is currently unknown, but any Weblate instance running a version prior to 5.17 is vulnerable. Organizations that rely on Weblate for their localization workflows are at risk.

Recommendation

Immediately upgrade Weblate to version 5.17 or later to patch CVE-2026-34393.
Monitor Weblate’s web server logs for suspicious API requests targeting the user patching endpoint (/api/users/) as described in the Attack Chain (use the Sigma rule provided below).
Review user account permissions and audit logs for any unexpected privilege escalations.
Implement stricter input validation and authorization checks within the Weblate application to prevent similar vulnerabilities in the future.
Deploy the Sigma rule provided below to your SIEM to detect exploitation attempts.

wger Broken Access Control in Global Gym Configuration Update Endpoint

hello@craftedsignal.io — Thu, 16 Apr 2026 01:35:16 +0000

The wger application exposes a global configuration edit endpoint at /config/gym-config/edit that is vulnerable to broken access control. The vulnerability exists because the GymConfigUpdateView uses the wrong mixin (WgerFormMixin instead of WgerPermissionMixin), preventing proper enforcement of the config.change_gymconfig permission. This allows a low-privileged authenticated user to modify the global GymConfig singleton (pk=1), triggering server-side side effects via the GymConfig.save() method. This vertical privilege escalation allows unauthorized modification of installation-wide state and bulk updates to other users’ records, violating the intended administrative trust boundary. The vulnerability affects wger versions 2.1 and earlier.

Attack Chain

An attacker authenticates to the wger application with a low-privileged user account.
The attacker navigates to the global configuration edit endpoint at /config/gym-config/edit.
The server processes the request via the GymConfigUpdateView which inherits from WgerFormMixin.
WgerFormMixin attempts to perform ownership checks but fails because GymConfig does not implement get_owner_object().
The application allows the attacker to modify the default_gym setting.
The attacker submits the form with a modified default_gym value.
The GymConfig.save() method is called, updating UserProfile records with a gym set to null.
The attacker has successfully modified installation-wide configuration, potentially bulk-updating user records and violating administrative trust boundaries.

Impact

Successful exploitation of this vulnerability allows a low-privileged user to escalate privileges and modify global configuration settings. This could lead to unauthorized modification of user profiles and tenant assignments, affecting new registrations and existing users lacking a gym. On deployments with multiple gyms, this vulnerability can result in widespread data manipulation and a violation of the intended administrative trust boundary. The vulnerability affects wger deployments, impacting organizations that rely on the application for managing fitness and exercise data.

Recommendation

Apply the recommended fix by ensuring permission enforcement runs before the form dispatch. Implement the suggested code change in wger/config/views/gym_config.py using the project mixin by updating the inheritance order: class GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView): as described in the advisory.
Deploy the Sigma rule “wger GymConfig Update by Low-Privilege User” to detect unauthorized modification of the GymConfig object via the /config/gym-config/edit endpoint.
Monitor web server logs for POST requests to the /config/gym-config/edit endpoint originating from low-privileged user accounts, using the URL as an indicator.

OAuth2 Proxy Authentication Bypass via User-Agent Header

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

OAuth2 Proxy is vulnerable to an authentication bypass (CVE-2026-34457) when configured with auth_request-style integration (e.g., nginx auth_request) and either the --ping-user-agent option is set or --gcp-healthchecks is enabled. This flaw allows an unauthenticated remote attacker to gain unauthorized access to protected upstream resources. The vulnerability exists because OAuth2 Proxy incorrectly treats requests with the configured health check User-Agent value as legitimate health checks, irrespective of the requested path. This bypasses the normal login flow, granting access without proper authentication. Versions prior to v7.15.2 are affected, alongside versions <= 3.2.0. Defenders must take immediate action to remediate affected deployments.

Attack Chain

Attacker identifies an OAuth2 Proxy deployment utilizing auth_request and either --ping-user-agent or --gcp-healthchecks.
Attacker determines the configured --ping-user-agent value or identifies that --gcp-healthchecks is enabled (default User-Agent: GoogleHC/1.0).
Attacker crafts an HTTP request to a protected resource, setting the User-Agent header to the configured --ping-user-agent value (or “GoogleHC/1.0” if --gcp-healthchecks is enabled).
The reverse proxy (e.g., Nginx) forwards the request to the OAuth2 Proxy’s /oauth2/auth endpoint.
OAuth2 Proxy incorrectly interprets the request as a health check due to the matching User-Agent header.
OAuth2 Proxy responds to the reverse proxy with a 200 OK status, indicating successful authentication.
The reverse proxy, believing the authentication was successful, forwards the attacker’s request to the protected upstream resource.
Attacker successfully accesses the protected resource without authenticating, achieving unauthorized access.

Impact

Successful exploitation of this vulnerability results in complete authentication bypass, granting attackers unauthorized access to sensitive resources protected by OAuth2 Proxy. The number of affected deployments is unknown, but any organization using OAuth2 Proxy with the specified configurations is potentially at risk. This can lead to data breaches, service disruption, and other severe security incidents.

Recommendation

Upgrade to OAuth2 Proxy version v7.15.2 or later to patch CVE-2026-34457.
Disable the --gcp-healthchecks flag if it is enabled.
Remove any configured --ping-user-agent flag.
Implement reverse proxy configurations, such as the provided Nginx example, to prevent forwarding client-controlled User-Agent headers to the OAuth2 Proxy /oauth2/auth endpoint.
Deploy the Sigma rule “OAuth2 Proxy Authentication Bypass Attempt” to detect malicious requests exploiting this vulnerability.

manikandan580 School-management-system SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

A critical time-based blind SQL injection vulnerability, identified as CVE-2025-65135, affects version 1.0 of the manikandan580 School-management-system. This vulnerability resides in the /studentms/admin/between-date-reprtsdetails.php script and is exploitable through the fromdate POST parameter. Given the nature of the vulnerability, attackers can potentially bypass authentication and execute arbitrary SQL queries on the back-end database. Successful exploitation could lead to unauthorized access to sensitive student data, administrative credentials, and other confidential information managed by the school system. This vulnerability poses a significant risk to educational institutions utilizing the affected software.

Attack Chain

An unauthenticated attacker identifies the /studentms/admin/between-date-reprtsdetails.php endpoint.
The attacker crafts a malicious HTTP POST request targeting the /studentms/admin/between-date-reprtsdetails.php endpoint.
The POST request includes a manipulated fromdate parameter containing a time-based blind SQL injection payload (e.g., fromdate=1' AND SLEEP(5) -- -).
The server-side application processes the crafted SQL query without proper sanitization.
The injected SQL payload executes a SLEEP() function or equivalent based on database type, causing a delay in the server’s response if the injected condition is true.
The attacker monitors the server response time to infer the results of the injected SQL query.
The attacker uses the blind SQL injection technique to extract sensitive data from the database, such as usernames, passwords, and student records, character by character.
The attacker uses the obtained credentials to gain unauthorized administrative access to the School-management-system, leading to potential data breaches and system compromise.

Impact

Successful exploitation of CVE-2025-65135 could result in a complete compromise of the manikandan580 School-management-system. Attackers could gain access to personally identifiable information (PII) of students, financial records, and other sensitive data. This data could be used for identity theft, financial fraud, or extortion. The vulnerable system could also be used as a launchpad for further attacks against other systems within the network. Due to the potential for widespread data breaches, this vulnerability represents a critical risk for schools and educational institutions using the affected software.

Recommendation

Apply any available patches or updates released by manikandan580 to address CVE-2025-65135.
Implement input validation and sanitization measures to prevent SQL injection attacks on the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php.
Deploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /studentms/admin/between-date-reprtsdetails.php containing SQL injection payloads.
Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable application.

SQL Injection Vulnerability in anirudhkannan Grocery Store Management System 1.0 (CVE-2025-63939)

hello@craftedsignal.io — Tue, 14 Apr 2026 16:16:33 +0000

CVE-2025-63939 is a SQL injection vulnerability found in anirudhkannan Grocery Store Management System version 1.0. The vulnerability resides in the /Grocery/search_products_itname.php script, specifically related to improper input handling of the sitem_name POST parameter. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the sitem_name parameter, potentially leading to unauthorized access to the database, data exfiltration, modification, or even complete system compromise. The vulnerable software is a web application typically deployed on web servers, potentially exposing a wide range of grocery stores and related businesses to this critical flaw. This vulnerability was published on 2026-04-14.

Attack Chain

An attacker identifies an instance of anirudhkannan Grocery Store Management System 1.0 running on a web server.
The attacker crafts a malicious HTTP POST request targeting the /Grocery/search_products_itname.php endpoint.
The crafted POST request includes the sitem_name parameter, containing SQL injection payload.
The web server receives the malicious request and passes the sitem_name value to the vulnerable SQL query without proper sanitization or escaping.
The injected SQL code is executed by the database server, allowing the attacker to manipulate the database.
The attacker uses SQL injection techniques (e.g., UNION SELECT, SLEEP()) to extract sensitive data, such as user credentials, product information, or financial records.
Depending on database privileges, the attacker could modify existing data (e.g., changing product prices, altering inventory levels) or insert new data (e.g., creating rogue administrator accounts).
The attacker achieves complete control over the database, potentially leading to full system compromise, data exfiltration, or denial-of-service.

Impact

Successful exploitation of CVE-2025-63939 can have severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personal information, payment details, and order history. This can lead to financial losses, reputational damage, and legal liabilities for the affected grocery store. The attacker could also manipulate product information, alter pricing, or disrupt business operations. In a worst-case scenario, the attacker could gain complete control of the database server, leading to full system compromise and significant financial and operational losses. Given the widespread use of vulnerable versions, a large number of grocery stores using this software are potentially at risk.

Recommendation

Apply the necessary patches or updates provided by the vendor to address CVE-2025-63939. If a patch is unavailable, consider implementing a web application firewall (WAF) rule to filter out malicious SQL injection attempts targeting the /Grocery/search_products_itname.php endpoint.
Deploy the Sigma rule Detecting SQL Injection Attempts via sitem_name Parameter to your SIEM to identify potential exploitation attempts.
Review and harden database access controls to limit the impact of successful SQL injection attacks.
Monitor web server logs for suspicious POST requests to /Grocery/search_products_itname.php containing potentially malicious SQL syntax, as detected by Detecting SQL Injection Attempts via sitem_name Parameter.
Inspect traffic for connections to the URL https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 to identify potential reconnaissance activity.

PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 12:00:00 +0000

A critical security flaw has been identified in PHPGurukul Daily Expense Tracking System version 1.1. This vulnerability resides in the /register.php file and is triggered by manipulating the email argument. Successful exploitation enables remote SQL injection, potentially granting attackers unauthorized access to sensitive database information or allowing them to modify data. This vulnerability, identified as CVE-2026-6193, has a CVSS v3.1 score of 7.3, indicating a high level of severity. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a vulnerable instance of PHPGurukul Daily Expense Tracking System 1.1.
The attacker crafts a malicious HTTP request targeting the /register.php endpoint.
Within the request, the attacker injects SQL code into the email parameter.
The application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL code, potentially allowing the attacker to read, modify, or delete data.
The attacker may leverage the initial SQL injection to escalate privileges within the database.
The attacker could potentially gain access to administrative credentials stored in the database.
Finally, the attacker uses the compromised credentials to gain full control over the application.

Impact

Successful exploitation of this SQL injection vulnerability could lead to severe consequences. Attackers could gain unauthorized access to sensitive user data, including usernames, passwords, and financial information. This could result in identity theft, financial fraud, and reputational damage for both the organization and its users. The attacker could also modify or delete data, disrupt the application’s functionality, or even gain complete control of the server. Given the availability of a public exploit, the likelihood of attacks is significantly increased.

Recommendation

Apply any available patches or updates provided by PHPGurukul to address CVE-2026-6193.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts in PHPGurukul Registration” to identify exploitation attempts targeting the /register.php endpoint.
Implement input validation and sanitization measures on the email parameter in /register.php to prevent SQL injection.
Monitor web server logs for suspicious activity, such as unusual characters or SQL syntax in the email parameter, which could indicate an attempted SQL injection (webserver log source).
Implement a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads targeting /register.php.

Pachno 1.0.6 XML External Entity Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 12:00:00 +0000

Pachno 1.0.6 is susceptible to an XML External Entity (XXE) injection vulnerability, identified as CVE-2026-40042. This flaw resides in the TextParser helper component, where unsafe XML parsing occurs. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server. The attack involves injecting malicious XML entities into various parts of the application, including wiki table syntax, issue descriptions, comments, and wiki articles. The vulnerability is triggered by the use of the simplexml_load_string() function without proper restrictions (LIBXML_NONET), enabling the resolution of external entities. This issue poses a significant risk as it allows unauthorized access to sensitive data stored on the server.

Attack Chain

An unauthenticated attacker identifies a Pachno 1.0.6 instance.
The attacker crafts a malicious XML payload containing an external entity declaration. This payload aims to read a sensitive file on the server, such as /etc/passwd.
The attacker injects the malicious XML payload into a wiki page, issue description, or comment using wiki table syntax or inline tags.
The application’s TextParser helper processes the injected content using simplexml_load_string() without the LIBXML_NONET flag.
The XML parser attempts to resolve the external entity, initiating a request to read the specified file.
The targeted file’s contents are embedded into the XML response due to the XXE vulnerability.
The attacker retrieves the parsed XML response, which now contains the content of the targeted file, thus achieving unauthorized file access.
The attacker can repeat this process to access other sensitive files, potentially gaining critical information about the system and its configuration.

Impact

Successful exploitation of this XXE vulnerability (CVE-2026-40042) in Pachno 1.0.6 allows an unauthenticated attacker to read arbitrary files from the server. The impact can range from exposing sensitive configuration files and application code to potentially gaining access to user credentials or other confidential data. This information could be used for further malicious activities, such as lateral movement within the network or data exfiltration. Given the ease of exploitation and the potential for significant data leakage, this vulnerability represents a critical risk.

Recommendation

Upgrade to a patched version of Pachno that addresses CVE-2026-40042 by implementing proper XML parsing and disabling external entity resolution.
Implement input validation and sanitization to prevent the injection of malicious XML payloads into wiki pages, issue descriptions, and comments.
Monitor web server logs for requests containing XML entity declarations, which may indicate attempted exploitation of this vulnerability. See the provided Sigma rule for guidance.
Block the domains www.vulncheck.com and www.zeroscience.mk at the network level to prevent access to related advisory information, hindering attacker reconnaissance.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

SQL Injection Vulnerability in Simple Content Management System 1.0

hello@craftedsignal.io — Mon, 13 Apr 2026 15:17:49 +0000

A SQL injection vulnerability has been identified in code-projects Simple Content Management System (CMS) version 1.0. The vulnerability resides in the /web/admin/login.php file and stems from improper sanitization of user-supplied input within the User argument. An unauthenticated, remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploits exist, increasing the risk of widespread exploitation. Given the simplicity of the targeted software, many small businesses or personal websites could be running vulnerable instances.

Attack Chain

The attacker identifies a publicly accessible instance of Simple Content Management System 1.0.
The attacker crafts a malicious HTTP request targeting the /web/admin/login.php endpoint.
The crafted request includes a SQL injection payload within the User parameter.
The application fails to properly sanitize the input, passing the malicious payload to the database.
The database executes the injected SQL commands, allowing the attacker to bypass authentication.
The attacker gains unauthorized administrative access to the CMS.
The attacker modifies the CMS content or extracts sensitive data from the database.
The attacker may install a web shell for persistent access and further exploitation.

Impact

Successful exploitation of this vulnerability grants attackers unauthorized access to the Simple Content Management System 1.0. This can lead to sensitive data exfiltration, modification of website content (defacement), or complete takeover of the underlying server. The vulnerable software is likely used by individuals or small businesses, potentially leading to a significant impact on their online presence and data security. Given the public availability of exploits, mass exploitation is a realistic threat.

Recommendation

Inspect web server logs for requests to /web/admin/login.php containing suspicious characters or SQL keywords in the User parameter to detect potential exploitation attempts (see rule: “Detect SQL Injection Attempts in Simple CMS Login”).
Monitor web server logs for unusual database errors originating from /web/admin/login.php, which may indicate successful SQL injection (see rule: “Detect Simple CMS SQL Injection Errors”).
Implement input validation and sanitization on all user-supplied data, particularly within the /web/admin/login.php script, to prevent SQL injection attacks.
Organizations using code-projects Simple Content Management System 1.0 should consider migrating to a more secure platform or applying security patches if available from the vendor.

SQL Injection Vulnerability in Faculty Management System

hello@craftedsignal.io — Mon, 13 Apr 2026 07:16:51 +0000

The code-projects Faculty Management System 1.0 is vulnerable to SQL injection (CVE-2026-6167) within the /subject-print.php file. The vulnerability stems from improper sanitization of the ID argument, allowing a remote attacker to inject arbitrary SQL commands. This exploit has been publicly disclosed, increasing the risk of widespread exploitation. Given the sensitive nature of data managed by faculty management systems, successful exploitation could lead to significant data breaches, system compromise, and disruption of academic operations. The lack of required authentication to trigger the vulnerability makes it particularly dangerous.

Attack Chain

The attacker identifies a vulnerable instance of code-projects Faculty Management System 1.0 accessible over the internet.
The attacker crafts a malicious HTTP GET request targeting the /subject-print.php endpoint.
The malicious request includes a modified ID parameter containing SQL injection payloads. For example, ID=1' OR '1'='1.
The web server processes the request and passes the unsanitized ID parameter to the underlying SQL database.
The injected SQL code is executed by the database, potentially allowing the attacker to bypass authentication or access unauthorized data.
The attacker leverages the SQL injection to extract sensitive data from the database, such as usernames, passwords, student records, or financial information.
The attacker may use the extracted credentials to gain administrative access to the application.
Finally, the attacker could modify or delete data within the database, exfiltrate data, or pivot to other systems within the network.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-6167) in code-projects Faculty Management System 1.0 can lead to severe consequences. An attacker could potentially access and exfiltrate sensitive student and faculty data, modify grades, compromise user accounts, and disrupt academic operations. The public availability of the exploit increases the likelihood of widespread attacks targeting vulnerable systems, potentially impacting numerous educational institutions.

Recommendation

Inspect web server logs for suspicious HTTP requests targeting /subject-print.php with unusual characters or SQL keywords in the ID parameter to detect potential exploitation attempts. Use the provided Sigma rule to facilitate this.
Implement a web application firewall (WAF) rule to block requests containing SQL injection payloads targeting /subject-print.php.
Apply input validation and sanitization to the ID parameter in /subject-print.php to prevent SQL injection, effectively patching CVE-2026-6167.
Monitor database logs for unusual queries originating from the web application server that could indicate successful SQL injection.

SQL Injection Vulnerability in Vehicle Showroom Management System 1.0

hello@craftedsignal.io — Mon, 13 Apr 2026 06:17:51 +0000

CVE-2026-6165 identifies an SQL injection vulnerability within the code-projects Vehicle Showroom Management System version 1.0. The vulnerability resides in the /util/Login_check.php file and can be exploited by manipulating the ID argument. Successful exploitation allows attackers to inject malicious SQL queries, potentially gaining unauthorized access to sensitive data, modifying database contents, or even executing arbitrary commands on the underlying server. As a publicly available exploit exists, the risk of exploitation is elevated, making it crucial for organizations using this software to implement mitigation measures. The scope of this vulnerability impacts any deployment of the affected Vehicle Showroom Management System version 1.0 exposed to network traffic.

Attack Chain

Attacker identifies a vulnerable Vehicle Showroom Management System 1.0 instance exposed on the network.
The attacker crafts a malicious HTTP request targeting the /util/Login_check.php endpoint.
The attacker injects SQL code into the ID parameter of the HTTP request, bypassing input validation.
The web application processes the malicious SQL query without proper sanitization.
The injected SQL code is executed against the underlying database.
The attacker retrieves sensitive information from the database, such as user credentials or financial records.
The attacker may modify database entries, such as altering prices or inventory.
The attacker could potentially leverage the SQL injection to gain code execution on the server.

Impact

Successful exploitation of CVE-2026-6165 can lead to a range of severe consequences. An attacker could gain unauthorized access to sensitive customer data, including personally identifiable information (PII) and financial details. Data breaches can result in significant financial losses, reputational damage, and legal liabilities. Furthermore, the ability to modify database contents could lead to manipulated sales figures, altered inventory, or even complete disruption of business operations. The vulnerability’s potential for remote code execution poses the highest risk, allowing attackers to establish a persistent foothold within the organization’s infrastructure.

Recommendation

Apply appropriate input validation and sanitization techniques to the ID parameter in /util/Login_check.php to prevent SQL injection (CVE-2026-6165).
Deploy the provided Sigma rule to detect suspicious HTTP requests targeting /util/Login_check.php with potential SQL injection payloads.
Implement a web application firewall (WAF) to filter malicious traffic and block known SQL injection patterns.
Regularly audit and patch all software components to address known vulnerabilities.
Monitor web server logs for unusual activity and potential signs of exploitation.

SQL Injection Vulnerability in Lost and Found Thing Management 1.0

hello@craftedsignal.io — Mon, 13 Apr 2026 06:16:06 +0000

A critical SQL injection vulnerability has been identified in code-projects Lost and Found Thing Management version 1.0, tracked as CVE-2026-6163. This vulnerability resides within the /catageory.php file and can be exploited by remotely manipulating the cat parameter. Due to the application’s failure to properly sanitize user-supplied input, an attacker can inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion. The existence of a publicly available exploit increases the risk of widespread exploitation. Organizations using this software should take immediate action to mitigate the risk.

Attack Chain

An attacker identifies a vulnerable instance of Lost and Found Thing Management 1.0.
The attacker crafts a malicious HTTP GET request targeting the /catageory.php endpoint.
The crafted request includes a SQL injection payload within the cat parameter.
The web server receives the request and passes the unsanitized cat parameter to the application’s database query.
The injected SQL code is executed within the database context.
Depending on the injected code, the attacker can read sensitive data, modify existing records, or delete information from the database.
The database server processes the malicious SQL query and returns the output.
The application returns the modified output to the attacker.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-6163) could allow a remote attacker to compromise the affected Lost and Found Thing Management 1.0 application. This may lead to unauthorized access to sensitive information stored within the database, such as user credentials, personal details of individuals who have lost or found items, and information about the items themselves. The attacker can potentially modify or delete records, leading to data corruption or denial of service. Due to the availability of a public exploit, the potential impact is significant for any organization running this vulnerable software.

Recommendation

Apply available patches or updates provided by the vendor (code-projects.org) to remediate the SQL injection vulnerability in /catageory.php as soon as they become available.
Implement input validation and sanitization on all user-supplied data, particularly the cat parameter in /catageory.php, to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts via URI” to detect potential exploitation attempts against the /catageory.php endpoint.
Review and restrict database user privileges to follow the principle of least privilege, limiting the impact of successful SQL injection attacks.
Monitor web server logs for suspicious activity related to the /catageory.php endpoint, such as unusual characters or SQL keywords in the cat parameter.

Simple ChatBox Unauthenticated SQL Injection Vulnerability (CVE-2026-6161)

hello@craftedsignal.io — Mon, 13 Apr 2026 05:16:05 +0000

A critical SQL injection vulnerability, identified as CVE-2026-6161, has been discovered in Simple ChatBox version 1.0 and earlier. This flaw resides in the /chatbox/insert.php file, which is responsible for handling chat message insertion. A remote attacker can exploit this vulnerability by injecting malicious SQL code into the msg parameter of an HTTP request, without needing authentication. The attacker’s malicious SQL commands are then executed against the application database. The exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation could lead to unauthorized data access, modification, or even complete database takeover. Due to the ease of exploitation and potential impact, this vulnerability poses a significant threat to systems running vulnerable versions of Simple ChatBox.

Attack Chain

The attacker identifies a Simple ChatBox installation running version 1.0 or earlier.
The attacker crafts a malicious HTTP POST request targeting the /chatbox/insert.php endpoint.
The attacker injects SQL code into the msg parameter of the POST request. This code could be designed to extract data, modify existing data, or insert new data into the database.
The web server receives the malicious HTTP request and passes the msg parameter to the vulnerable PHP script.
The /chatbox/insert.php script fails to properly sanitize the msg parameter before using it in an SQL query.
The injected SQL code is executed against the Simple ChatBox database, granting the attacker unauthorized access.
The attacker may use this access to read sensitive data, such as user credentials or private messages.
The attacker could also modify data to deface the chatbox or inject malicious content.

Impact

Successful exploitation of CVE-2026-6161 can lead to a range of severe consequences. An attacker can gain unauthorized access to the Simple ChatBox database, potentially compromising sensitive information such as user credentials, private messages, and other application data. This can result in data breaches, identity theft, and reputational damage. Furthermore, the attacker could modify or delete data, leading to data loss or service disruption. In the worst-case scenario, the attacker could gain complete control over the database server, potentially compromising other applications or systems hosted on the same server. Due to the public availability of the exploit, unpatched Simple ChatBox installations are at significant risk of being targeted.

Recommendation

Apply appropriate input validation and sanitization techniques to the msg parameter within the /chatbox/insert.php file to prevent SQL injection (reference: CVE-2026-6161).
Deploy the provided Sigma rule to detect suspicious HTTP requests targeting /chatbox/insert.php with potentially malicious SQL payloads (reference: the Sigma rule “Detect Simple Chatbox SQL Injection Attempt”).
Implement database access controls to limit the privileges of the Simple ChatBox application to the minimum required for its operation, mitigating potential damage from successful SQL injection (reference: CVE-2026-6161).

MyT-PM 1.5.1 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:34 +0000

MyT-PM 1.5.1 is susceptible to an SQL injection vulnerability (CVE-2019-25713) that enables authenticated attackers to execute arbitrary SQL queries. This vulnerability exists due to insufficient input sanitization of the Charge[group_total] parameter. By sending specially crafted POST requests to the /charge/admin endpoint, an attacker can inject malicious SQL code, potentially leading to sensitive data extraction, data manipulation, or other unauthorized actions. This vulnerability poses a significant risk to organizations using MyT-PM 1.5.1 as it could compromise the integrity and confidentiality of their data.

Attack Chain

An attacker authenticates to the MyT-PM 1.5.1 application.
The attacker crafts a malicious POST request targeting the /charge/admin endpoint.
Within the POST request, the attacker injects SQL code into the Charge[group_total] parameter.
The application processes the request without properly sanitizing the Charge[group_total] parameter.
The injected SQL code is executed against the underlying database.
The attacker leverages the SQL injection to extract sensitive data (e.g., user credentials, financial information) using error-based, time-based blind, or stacked query payloads.
The attacker may further manipulate data within the database, potentially altering records or creating new entries.
The attacker achieves complete control over the database, potentially leading to full system compromise.

Impact

Successful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive information, such as user credentials, financial records, and other confidential data stored within the MyT-PM database. Attackers may also be able to modify or delete data, leading to data integrity issues and potential disruption of business operations. This could result in financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

Apply patches or upgrade to a secure version of MyT-PM that addresses CVE-2019-25713.
Deploy the provided Sigma rule to detect potentially malicious requests containing SQL injection attempts targeting the /charge/admin endpoint and the Charge[group_total] parameter.
Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in MyT-PM and other web applications.
Monitor web server logs for suspicious POST requests to /charge/admin with unusual characters or SQL keywords in the Charge[group_total] parameter.

Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:34 +0000

Dolibarr ERP-CRM is a popular open-source enterprise resource planning and customer relationship management software. Version 8.0.4 of Dolibarr is susceptible to a critical SQL injection vulnerability (CVE-2019-25710) affecting the rowid parameter in the admin dict.php endpoint. This flaw allows unauthenticated attackers to inject malicious SQL code through the rowid POST parameter. Successful exploitation enables attackers to execute arbitrary SQL queries against the Dolibarr database, potentially leading to the exposure of sensitive information, modification of data, or complete compromise of the application. This vulnerability can be exploited using error-based SQL injection techniques.

Attack Chain

The attacker identifies a vulnerable Dolibarr ERP-CRM instance running version 8.0.4.
The attacker crafts a malicious HTTP POST request targeting the admin/dict.php endpoint.
The request includes the rowid parameter containing a SQL injection payload.
The server-side application processes the request and executes the injected SQL code within the database query.
The attacker leverages error-based SQL injection techniques to extract sensitive information from the database, such as user credentials, API keys, or financial data.
The attacker analyzes the error messages returned by the application to refine the SQL injection payload and bypass any security measures.
The attacker potentially uses the extracted credentials to gain unauthorized access to other parts of the application or the underlying system.

Impact

Successful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive data, data breaches, and complete compromise of the Dolibarr ERP-CRM system. The vulnerability allows attackers to extract sensitive database information, modify data, or potentially execute arbitrary code on the server. Given that ERP and CRM systems often contain critical business data, the impact can be significant for affected organizations.

Recommendation

Apply patches or upgrade to a secure version of Dolibarr ERP-CRM to remediate CVE-2019-25710.
Deploy the Sigma rule Detect Suspicious Dolibarr rowid Parameter SQL Injection Attempt to your SIEM to identify potential exploitation attempts against the admin/dict.php endpoint.
Monitor web server logs for unusual POST requests to admin/dict.php with suspicious characters or SQL keywords in the rowid parameter to detect potential attacks.
Implement web application firewall (WAF) rules to filter out malicious SQL injection payloads targeting the rowid parameter in admin/dict.php.

eBrigade ERP 4.5 SQL Injection Vulnerability (CVE-2019-25707)

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:33 +0000

eBrigade ERP 4.5 is susceptible to an SQL injection vulnerability (CVE-2019-25707) that enables authenticated attackers to execute arbitrary SQL queries. The vulnerability is located in the pdf.php script and is triggered via the ‘id’ parameter. By injecting malicious SQL code into this parameter through a GET request, an attacker can potentially extract sensitive information from the database, including table names and schema details. This vulnerability poses a significant risk to organizations using eBrigade ERP 4.5, as successful exploitation could lead to data breaches, compromised credentials, and other malicious activities. The vulnerability was published on 2026-04-12.

Attack Chain

An attacker gains valid credentials for eBrigade ERP 4.5 either through credential stuffing or some other credential compromise technique.
The attacker crafts a malicious SQL payload designed to extract sensitive information or manipulate the database.
The attacker constructs a GET request targeting the pdf.php endpoint, embedding the malicious SQL payload within the ‘id’ parameter (e.g., pdf.php?id=1' UNION SELECT ...).
The server-side application fails to properly sanitize or validate the ‘id’ parameter before incorporating it into an SQL query.
The application executes the attacker-controlled SQL query against the database.
The database returns the results of the injected SQL query to the application.
The application displays the extracted data to the attacker.
The attacker uses the extracted data (database schema, usernames, passwords, etc.) to further compromise the application or gain unauthorized access to other systems.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2019-25707) can lead to the extraction of sensitive information from the eBrigade ERP 4.5 database. This could include customer data, financial records, employee information, and other confidential data. The impact could range from data breaches and financial losses to reputational damage and legal repercussions. While the exact number of victims is unknown, any organization using eBrigade ERP 4.5 is potentially at risk.

Recommendation

Inspect web server access logs for suspicious GET requests to pdf.php containing SQL syntax in the id parameter to detect exploitation attempts using the provided Sigma rule.
Apply input validation and sanitization to the ‘id’ parameter in pdf.php to prevent SQL injection attacks.
Upgrade to a patched version of eBrigade ERP or apply the necessary security patches provided by the vendor to remediate CVE-2019-25707.
Monitor network traffic for unusual database activity originating from the eBrigade ERP 4.5 server.
Block access to the known exploit URL (https://www.exploit-db.com/exploits/46117) at your web proxy or firewall.

zhayujie chatgpt-on-wechat CowAgent Authentication Bypass Vulnerability (CVE-2026-6126)

hello@craftedsignal.io — Sun, 12 Apr 2026 11:16:16 +0000

A critical vulnerability, CVE-2026-6126, has been discovered in zhayujie chatgpt-on-wechat CowAgent version 2.0.4. This flaw resides within an unspecified function of the Administrative HTTP Endpoint component. Successful exploitation of this vulnerability allows remote attackers to bypass authentication mechanisms, potentially leading to unauthorized access and control over the affected system. The vulnerability is due to missing authentication checks on a critical function. Publicly available exploits exist, increasing the likelihood of exploitation. The project maintainers were notified; however, there has been no response at the time of this writing. This poses a significant risk to any deployment of chatgpt-on-wechat CowAgent 2.0.4 accessible over a network.

Attack Chain

Attacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent 2.0.4.
Attacker crafts a malicious HTTP request targeting the Administrative HTTP Endpoint.
The malicious request bypasses authentication due to the missing authentication vulnerability (CVE-2026-6126).
The request executes an unauthorized administrative function.
Attacker gains unauthorized access to sensitive data or configuration.
Attacker deploys a persistent backdoor for long-term access.
Attacker uses the backdoor to pivot to other systems or networks.

Impact

Successful exploitation of CVE-2026-6126 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This may enable attackers to access sensitive data, modify configurations, or disrupt services. Given that the application integrates with WeChat, a successful attack might expose sensitive user data or allow the attacker to conduct further attacks via the compromised instance. Due to the ease of exploitation and public availability of exploit code, the risk is considered high.

Recommendation

Apply available patches or updates for zhayujie chatgpt-on-wechat CowAgent to address CVE-2026-6126 as soon as they are released.
Monitor web server logs for suspicious activity targeting the Administrative HTTP Endpoint using the Sigma rule provided below.
Implement network segmentation to limit the potential impact of a compromised CowAgent instance.
Deploy a web application firewall (WAF) with rules to detect and block exploit attempts targeting CVE-2026-6126.
Conduct regular security audits of the chatgpt-on-wechat CowAgent deployment to identify and remediate potential vulnerabilities.

Chamilo LMS Session Fixation Vulnerability (CVE-2026-31940)

hello@craftedsignal.io — Sat, 11 Apr 2026 14:30:00 +0000

Chamilo LMS, a learning management system, is susceptible to a session fixation vulnerability (CVE-2026-31940) in versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability stems from the application’s handling of user-controlled request parameters in the main/lp/aicc_hacp.php file. Specifically, these parameters are used directly to set the PHP session ID before the global bootstrap is loaded. This allows an attacker to potentially set a predictable session ID for a user, leading to session hijacking. The vulnerability was reported and patched, with fixes available in versions 1.11.38 and 2.0.0-RC.3. This is important for defenders to address to ensure integrity and confidentiality of user sessions.

Attack Chain

Attacker crafts a malicious URL or form containing a specific session ID.
Attacker lures a victim to access the crafted URL or form.
The victim’s browser sends a request to the Chamilo LMS server with the attacker-controlled session ID.
The Chamilo LMS application, specifically the main/lp/aicc_hacp.php script, uses the attacker-provided session ID to initialize the PHP session.
The victim authenticates to the Chamilo LMS application.
The attacker uses the predetermined session ID to access the victim’s authenticated session.
Attacker gains unauthorized access to the victim’s account and associated data within the Chamilo LMS.

Impact

Successful exploitation of this vulnerability allows an attacker to hijack legitimate user sessions on a Chamilo LMS instance. This could result in unauthorized access to sensitive student or instructor data, modification of course content, or other malicious activities. The impact is high, particularly for educational institutions and organizations that rely on Chamilo LMS for their online learning platforms.

Recommendation

Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31940.
Monitor web server logs for suspicious requests to main/lp/aicc_hacp.php containing unusual session ID parameters. Use the provided Sigma rule to detect potential exploitation attempts.
Implement the “Detect Potentially Malicious Session ID Parameter” Sigma rule to identify exploitation attempts.

TREK Travel Planner Missing Authorization Vulnerability (CVE-2026-40185)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

TREK is a collaborative travel planning application. Prior to version 2.7.2, a critical vulnerability existed within the application related to authorization checks. Specifically, the Immich trip photo management routes lacked proper authorization checks. This flaw, identified as CVE-2026-40185, could potentially allow unauthorized users to access and manipulate trip photos if exploited. The vulnerability was reported by GitHub, Inc. and patched in version 2.7.2 of TREK. Defenders should ensure they are running version 2.7.2 or later of the TREK application to mitigate this risk. This vulnerability affects systems running the vulnerable versions of the TREK application and could impact the confidentiality and integrity of user data.

Attack Chain

An attacker identifies a vulnerable TREK instance running a version prior to 2.7.2.
The attacker crafts a malicious HTTP request targeting the Immich trip photo management routes.
Due to the missing authorization checks, the attacker bypasses authentication requirements.
The attacker gains unauthorized access to trip photos.
The attacker may modify or delete trip photos, impacting data integrity.
The attacker could potentially use the exposed data to gather sensitive information about the trip and its participants.
The attacker could potentially upload malicious images to the photo storage.

Impact

Successful exploitation of CVE-2026-40185 can lead to unauthorized access and modification of trip photos within the TREK travel planner application. While the exact number of affected users is unknown, any TREK instance running a version prior to 2.7.2 is susceptible. This could result in a breach of confidentiality, potential data manipulation, and reputational damage for the application. Sectors that rely on collaborative travel planning may be particularly affected.

Recommendation

Upgrade all TREK instances to version 2.7.2 or later to remediate CVE-2026-40185.
Deploy the Sigma rule Detect Suspicious TREK Photo Route Access to detect potential exploitation attempts targeting the vulnerable photo management routes.
Monitor web server logs for unusual activity related to the Immich trip photo management routes.
Monitor network traffic for unusual patterns or connections to the TREK server that might indicate exploitation attempts.

DotNetNuke.Core Stored XSS via SVG Upload

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

DotNetNuke.Core versions prior to 10.2.2 are vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by uploading a malicious SVG file to the DotNetNuke server. This file contains embedded JavaScript that executes when the SVG is processed and displayed by the application. Successful exploitation requires a user to interact with the uploaded SVG file, which then triggers the malicious script execution. This poses a significant risk as the injected scripts can target both authenticated and unauthenticated users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. This vulnerability was published on April 10, 2026, and patched in version 10.2.2.

Attack Chain

An attacker crafts a malicious SVG file containing embedded JavaScript code designed for XSS exploitation.
The attacker, with low privileges, uploads the malicious SVG file to the DotNetNuke server through a file upload functionality.
The server stores the SVG file, making it accessible to other users.
A user (either authenticated or unauthenticated) navigates to the location where the SVG file is stored or displayed.
The user’s browser processes the SVG file, triggering the execution of the embedded JavaScript.
The malicious script executes within the user’s browser session, gaining access to cookies, session tokens, and other sensitive information.
The attacker steals user’s cookies and session tokens.
The attacker uses stolen session tokens to hijack the user’s session, perform unauthorized actions, and potentially escalate privileges.

Impact

Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user’s session. This can lead to sensitive information disclosure, such as stealing user credentials or session cookies. An attacker can then hijack user sessions, perform unauthorized actions on their behalf, and potentially gain elevated privileges within the DotNetNuke application. Due to the nature of stored XSS, the impact can be widespread, affecting any user who interacts with the malicious SVG file until the vulnerability is patched.

Recommendation

Upgrade DotNetNuke.Core to version 10.2.2 or later to patch the XSS vulnerability (reference: Affected versions).
Implement server-side validation to sanitize uploaded SVG files and prevent the injection of malicious scripts (reference: Description).
Deploy the Sigma rule provided below to detect attempts to upload SVG files containing JavaScript code (reference: Sigma rule “Detect SVG Upload with Embedded JavaScript”).
Configure web application firewalls (WAFs) to inspect and block suspicious SVG uploads based on content analysis (reference: Description).
Enable logging for file uploads to track potential malicious activity (reference: logsource category “file_event”).

CouchCMS Privilege Escalation via f_k_levels_list Parameter Manipulation (CVE-2026-29002)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

CVE-2026-29002 identifies a privilege escalation vulnerability in CouchCMS. This flaw allows authenticated users with Admin-level privileges to elevate their access to SuperAdmin by tampering with the f_k_levels_list parameter during the user creation process. By modifying the value of this parameter from “4” to “10” in the HTTP request body, an attacker can bypass authorization checks, effectively circumventing restrictions on SuperAdmin account creation and privilege assignment. This vulnerability allows the attacker to gain complete control over the CouchCMS application. Successful exploitation requires valid Admin-level credentials and the ability to modify HTTP request parameters.

Attack Chain

An attacker obtains valid Admin-level credentials for a CouchCMS instance.
The attacker navigates to the user creation page within the CouchCMS admin panel.
The attacker intercepts the HTTP request generated when submitting the user creation form.
The attacker modifies the f_k_levels_list parameter in the HTTP request body, changing its value from “4” (Admin) to “10” (SuperAdmin).
The attacker submits the modified HTTP request to the CouchCMS server.
The CouchCMS server, due to insufficient authorization validation, creates a new user account with SuperAdmin privileges.
The attacker logs in with the newly created SuperAdmin account.
The attacker gains full control over the CouchCMS application, including the ability to modify system settings, access sensitive data, and potentially compromise the underlying server.

Impact

Successful exploitation of CVE-2026-29002 leads to complete compromise of the CouchCMS application. An attacker with SuperAdmin privileges can access and modify any data within the CMS, potentially defacing websites, stealing sensitive information, or disrupting services. The vulnerability affects all CouchCMS installations where user creation is enabled and accessible to Admin-level users.

Recommendation

Apply the patch or upgrade to a version of CouchCMS that addresses CVE-2026-29002.
Deploy the Sigma rule Detect CouchCMS SuperAdmin Creation via Parameter Tampering to your SIEM to detect attempts to exploit this vulnerability.
Monitor web server logs for POST requests to the user creation endpoint with a modified f_k_levels_list parameter.
Implement strict input validation and authorization checks on the server-side to prevent unauthorized modification of user privileges.

Chamilo LMS Privilege Escalation via REST API (CVE-2026-33706)

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

CVE-2026-33706 affects Chamilo LMS, a learning management system. Prior to version 1.11.38, the vulnerability allows an authenticated user, specifically a student (status=5), with a valid REST API key, to elevate their privileges. This is achieved by exploiting the update_user_from_username endpoint in the REST API. By sending a crafted request, a student can modify their user status to Teacher/CourseManager (status=1). This privilege escalation grants the attacker the ability to create and manage courses, access sensitive data, and potentially disrupt the learning environment. The vulnerability has been patched in version 1.11.38, so upgrading is strongly recommended. This vulnerability highlights the importance of proper access controls and input validation in web applications.

Attack Chain

Attacker obtains valid credentials for a student account within the Chamilo LMS.
Attacker generates a REST API key associated with their student account.
Attacker crafts a malicious HTTP POST request targeting the update_user_from_username endpoint.
The POST request includes the attacker’s username and a modified status value (e.g., from 5 to 1) within the request body.
The attacker sends the crafted request to the Chamilo LMS server, authenticating with their REST API key.
The Chamilo LMS server, lacking proper authorization checks, updates the attacker’s user status in the database.
The attacker logs out and then logs back in to the Chamilo LMS.
Upon re-authentication, the attacker now has Teacher/CourseManager privileges, enabling them to create and manage courses, access student data, and modify system settings.

Impact

Successful exploitation of CVE-2026-33706 allows a student to gain administrative control over the Chamilo LMS platform. This can lead to unauthorized course creation, modification of student grades, data theft, and disruption of the learning environment. The number of potential victims depends on the number of Chamilo LMS instances running a vulnerable version (prior to 1.11.38). If successful, an attacker could potentially compromise the entire learning platform and its users.

Recommendation

Upgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-33706.
Implement strict access control policies and regularly audit user permissions to prevent unauthorized privilege escalation.
Monitor web server logs for suspicious POST requests to the update_user_from_username endpoint (see example Sigma rule below).
Deploy the provided Sigma rule to detect potential exploitation attempts in real-time.

Chartbrew Cross-Tenant Authorization Bypass Vulnerability

hello@craftedsignal.io — Fri, 10 Apr 2026 20:16:21 +0000

Chartbrew, an open-source web application used for creating charts from databases and APIs, is vulnerable to a cross-tenant authorization bypass (CVE-2026-32252) in versions prior to 4.9.0. This vulnerability resides in the GET /team/:team_id/template/generate/:project_id endpoint. Specifically, the checkAccess function doesn’t await its promise and fails to validate if the project_id belongs to the specified team_id or the attacker’s team. This allows an authenticated attacker with template generation permissions in their own team to request and receive template model data for projects belonging to other teams. Upgrading to version 4.9.0 or later resolves this issue.

Attack Chain

Attacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.
Attacker identifies a valid team_id belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.
Attacker identifies a valid project_id belonging to the victim team. This may require some level of prior knowledge or reconnaissance.
Attacker crafts a GET request to /team/:victim_team_id/template/generate/:victim_project_id, replacing :victim_team_id and :victim_project_id with the identified values.
The Chartbrew server receives the request and calls the checkAccess function, but does not await the promise.
Due to the missing validation of the project_id against the team_id and the caller’s team, the authorization check is bypassed.
The server retrieves the template model data associated with the victim’s project.
The server returns the victim’s project data to the attacker.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim’s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.

Recommendation

Upgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.
Implement the Sigma rule Detect Chartbrew Template Generation Request to identify potential exploitation attempts in web server logs.
Monitor web server logs for unusual requests to the /team/*/template/generate/* endpoint using a WAF or similar tool.

Vehicle Showroom Management System SQL Injection Vulnerability (CVE-2026-6038)

hello@craftedsignal.io — Fri, 10 Apr 2026 09:20:18 +0000

A SQL injection vulnerability, identified as CVE-2026-6038, has been discovered in version 1.0 of the code-projects Vehicle Showroom Management System. This vulnerability resides within the /util/RegisterCustomerFunction.php file, and can be exploited by manipulating the BRANCH_ID argument. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the system. Publicly available exploit code exists, increasing the likelihood of exploitation. Successful exploitation could allow an attacker to read, modify, or delete sensitive data within the application’s database. This vulnerability was published on 2026-04-10.

Attack Chain

Attacker identifies a vulnerable instance of Vehicle Showroom Management System 1.0.
Attacker crafts a malicious HTTP request targeting /util/RegisterCustomerFunction.php.
The crafted request includes a SQL injection payload within the BRANCH_ID parameter.
The application fails to properly sanitize the BRANCH_ID input.
The unsanitized input is incorporated into a SQL query executed by the application.
The SQL injection payload manipulates the query to extract sensitive data or modify database records.
The application returns the results of the manipulated query to the attacker.

Impact

Successful exploitation of CVE-2026-6038 can lead to unauthorized access to the Vehicle Showroom Management System’s database. This could result in the disclosure of sensitive customer information (names, addresses, financial details), modification of vehicle inventory data, or even complete compromise of the application’s data integrity. The impact would depend on the level of privileges the application’s database user has and the attacker’s objectives, but it is a high-severity vulnerability due to the ease of exploitation and potential for significant data breach or manipulation.

Recommendation

Inspect web server logs for suspicious POST requests to /util/RegisterCustomerFunction.php containing unusual characters or SQL keywords in the BRANCH_ID parameter using the Sigma rule “Detect SQL Injection Attempt via BRANCH_ID Parameter”.
Apply input validation and sanitization to the BRANCH_ID parameter within the /util/RegisterCustomerFunction.php file to prevent SQL injection.
Monitor database logs for anomalous queries originating from the Vehicle Showroom Management System’s application user.

SQL Injection Vulnerability in Vehicle Showroom Management System 1.0 (CVE-2026-6036)

hello@craftedsignal.io — Fri, 10 Apr 2026 09:16:51 +0000

CVE-2026-6036 is a SQL injection vulnerability affecting Vehicle Showroom Management System version 1.0. The vulnerability resides within the /util/VehicleDetailsFunction.php file, specifically involving the VEHICLE_ID parameter. An unauthenticated attacker can remotely exploit this vulnerability by injecting malicious SQL code into the VEHICLE_ID argument. This allows for the potential execution of arbitrary SQL commands on the underlying database, potentially leading to data breaches, modification, or complete system compromise. A public exploit exists, increasing the likelihood of exploitation. The vulnerable software is commonly used for managing vehicle inventory and showroom operations, making organizations that rely on this software potential targets.

Attack Chain

An attacker identifies a Vehicle Showroom Management System 1.0 instance exposed to the internet.
The attacker crafts a malicious HTTP request targeting /util/VehicleDetailsFunction.php.
The request includes a modified VEHICLE_ID parameter containing SQL injection payloads.
The application fails to properly sanitize the VEHICLE_ID input.
The unsanitized input is directly incorporated into an SQL query.
The injected SQL code is executed against the database.
The attacker retrieves sensitive information from the database, such as user credentials, vehicle details, or financial records.
The attacker uses the obtained credentials to gain unauthorized access to the system or exfiltrates the data.

Impact

Successful exploitation of CVE-2026-6036 allows an attacker to execute arbitrary SQL queries against the Vehicle Showroom Management System’s database. This could lead to the disclosure of sensitive customer information, modification of vehicle inventory data, or even complete compromise of the system. The vulnerability could result in significant financial losses, reputational damage, and legal liabilities for affected organizations. While the number of affected installations is unknown, Vehicle Showroom Management Systems are commonly used by dealerships and automotive businesses, making them attractive targets.

Recommendation

Apply appropriate input validation and sanitization techniques to the VEHICLE_ID parameter in /util/VehicleDetailsFunction.php to prevent SQL injection attacks.
Deploy the Sigma rule Detect Suspicious SQL Injection Attempts in Vehicle Showroom Management System to your SIEM and tune for your environment to detect exploitation attempts.
Monitor web server logs for suspicious requests targeting /util/VehicleDetailsFunction.php with potentially malicious VEHICLE_ID parameters.
Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.

PraisonAI SSRF Vulnerability via Unvalidated Webhook URL

hello@craftedsignal.io — Thu, 09 Apr 2026 22:16:35 +0000

PraisonAI, a multi-agent teams system, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability affecting versions prior to 4.5.128. The vulnerability resides in the /api/v1/runs endpoint, which accepts a webhook_url parameter in the request body without proper validation. This allows an unauthenticated attacker to specify an arbitrary URL, causing the PraisonAI server to send an HTTP POST request to that URL upon job completion. This flaw enables attackers to target internal services, cloud metadata endpoints, and other network-adjacent resources, potentially leading to information disclosure, privilege escalation, or denial-of-service. Organizations using affected versions of PraisonAI should upgrade to version 4.5.128 or later to mitigate this risk.

Attack Chain

An unauthenticated attacker identifies a PraisonAI instance running a version prior to 4.5.128.
The attacker crafts a malicious HTTP POST request to the /api/v1/runs endpoint.
The crafted request includes a webhook_url parameter containing a URL pointing to an internal service, cloud metadata endpoint, or external attacker-controlled server.
The PraisonAI server receives the request and queues a job.
The job completes (either successfully or with an error).
Upon completion, the server, using httpx.AsyncClient, initiates an HTTP POST request to the URL specified in the webhook_url parameter.
If the webhook_url points to an internal service, the attacker can potentially access sensitive information or trigger actions within that service.
If the webhook_url points to a cloud metadata endpoint, the attacker can retrieve cloud credentials or configuration details.

Impact

Successful exploitation of this SSRF vulnerability allows an unauthenticated attacker to force the PraisonAI server to make arbitrary HTTP POST requests. This can lead to the exposure of sensitive information from internal services or cloud metadata, potentially granting the attacker unauthorized access to systems and data. The vulnerability could also be leveraged to perform denial-of-service attacks against internal resources. While the exact number of affected organizations is unknown, any organization running a vulnerable version of PraisonAI is at risk.

Recommendation

Upgrade PraisonAI instances to version 4.5.128 or later to remediate CVE-2026-40114.
Inspect web server logs for requests to the /api/v1/runs endpoint containing suspicious webhook_url parameters to detect potential exploitation attempts. Deploy the Sigma rule to detect suspicious webhook URLs.
Monitor network traffic for unexpected outbound connections originating from the PraisonAI server to internal or external destinations, as this could indicate SSRF exploitation.

AGiXT Path Traversal Vulnerability (CVE-2026-39981)

hello@craftedsignal.io — Thu, 09 Apr 2026 18:17:02 +0000

AGiXT, a dynamic AI Agent Automation Platform, contains a critical vulnerability (CVE-2026-39981) affecting versions prior to 1.9.2. The vulnerability lies in the safe_join() function within the essential_abilities extension. This function fails to adequately validate file paths, creating an opportunity for authenticated attackers to perform directory traversal attacks. By exploiting this flaw, an attacker can manipulate file paths to access files outside the designated agent workspace, resulting in arbitrary file read, write, or deletion capabilities on the server hosting the AGiXT instance. This issue was addressed and resolved in AGiXT version 1.9.2. This vulnerability could allow an attacker to gain complete control over the AGiXT server.

Attack Chain

The attacker authenticates to the AGiXT application.
The attacker crafts a malicious request targeting the safe_join() function within the essential_abilities extension.
The malicious request includes directory traversal sequences (e.g., ../) to navigate outside the intended agent workspace.
The safe_join() function fails to properly sanitize the input, allowing the traversal sequences to take effect.
The attacker gains the ability to read arbitrary files on the server using the path traversal.
The attacker exploits the ability to write to arbitrary files to inject malicious code or overwrite existing system files.
The attacker leverages the write access to establish persistence, potentially by modifying system startup scripts or scheduled tasks.
The attacker achieves arbitrary code execution on the server hosting the AGiXT instance, potentially leading to complete system compromise.

Impact

Successful exploitation of CVE-2026-39981 can lead to complete compromise of the AGiXT server. An attacker could gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt services. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. The impact could be significant for organizations relying on AGiXT for critical operations, potentially leading to data breaches, financial losses, and reputational damage. The number of victims and specific sectors targeted are currently unknown.

Recommendation

Upgrade AGiXT to version 1.9.2 or later to remediate CVE-2026-39981 (references: https://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2).
Implement input validation and sanitization measures to prevent directory traversal attacks.
Monitor AGiXT application logs for suspicious file access attempts and path manipulation sequences.
Deploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting CVE-2026-39981.

PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)

hello@craftedsignal.io — Thu, 09 Apr 2026 04:17:23 +0000

CVE-2026-5837 describes a SQL injection vulnerability affecting PHPGurukul News Portal Project version 4.1. The vulnerability resides in the /news-details.php file and is triggered by manipulating the Comment argument. Successful exploitation allows remote attackers to inject arbitrary SQL commands into the application’s database queries. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high severity. Publicly available exploits exist, increasing the risk of active exploitation. Organizations using PHPGurukul News Portal Project 4.1 are urged to investigate and mitigate this vulnerability immediately. The lack of specific patching information emphasizes the importance of proactive detection and prevention measures.

Attack Chain

An attacker identifies a vulnerable PHPGurukul News Portal Project 4.1 instance accessible over the internet.
The attacker crafts a malicious HTTP request targeting the /news-details.php endpoint.
Within the request, the Comment parameter is manipulated to inject SQL code. For example, the attacker might inject a payload such as ' OR '1'='1 to bypass authentication or extract data.
The vulnerable application processes the crafted request without proper sanitization of the Comment parameter.
The injected SQL code is embedded within a database query executed by the application.
The database server executes the attacker-controlled SQL query, potentially allowing the attacker to read, modify, or delete data.
The application returns the results of the injected SQL query to the attacker, potentially revealing sensitive information or confirming successful code execution.
The attacker leverages the SQL injection vulnerability to potentially gain unauthorized access to sensitive data, modify website content, or even gain control of the underlying server.

Impact

Successful exploitation of CVE-2026-5837 can lead to unauthorized access to sensitive information stored in the PHPGurukul News Portal Project’s database. An attacker could potentially steal user credentials, financial data, or other confidential information. The attacker could also modify website content, inject malicious code, or even gain control of the underlying server. Given the public availability of exploits, vulnerable instances are at immediate risk of compromise.

Recommendation

Deploy the Sigma rule Detecting SQL Injection in PHPGurukul News Portal to identify attempts to exploit CVE-2026-5837 by monitoring for suspicious characters in the cs-uri-query field of web server logs.
Apply web application firewall (WAF) rules to block requests containing common SQL injection payloads.
Review and harden the /news-details.php page to properly sanitize the Comment input field.
Monitor web server logs for unusual activity, especially related to the /news-details.php endpoint, and correlate with other security events.

code-projects Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5829)

hello@craftedsignal.io — Thu, 09 Apr 2026 02:16:17 +0000

CVE-2026-5829 is a SQL injection vulnerability affecting version 1.0 of the code-projects Simple IT Discussion Forum. The vulnerability resides in the /pages/content.php file and is triggered by manipulating the post_id argument. Successful exploitation allows a remote attacker to execute arbitrary SQL queries on the underlying database. Given the public disclosure of the exploit, instances of Simple IT Discussion Forum 1.0 are at immediate risk. This is a critical vulnerability as it potentially allows an attacker to read sensitive data, modify existing data, or even gain complete control of the application and its underlying infrastructure.

Attack Chain

The attacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance accessible over the network.
The attacker crafts a malicious HTTP GET or POST request targeting /pages/content.php.
The crafted request includes the post_id parameter containing a SQL injection payload.
The application fails to properly sanitize the post_id input.
The unsanitized post_id parameter is used in a SQL query executed against the database.
The SQL injection payload allows the attacker to bypass intended query logic.
The attacker is able to extract sensitive information from the database or modify data.
The attacker could potentially leverage the SQL injection to execute operating system commands via SQL Server’s xp_cmdshell or similar functionality if available.

Impact

Successful exploitation of CVE-2026-5829 can lead to significant data breaches, data manipulation, and potential system compromise. Attackers could gain unauthorized access to sensitive user data, including credentials and personal information. The impact ranges from defacement of the forum to complete control of the web server hosting the application. The vulnerability allows attackers to read, modify, or delete data stored in the forum’s database.

Recommendation

Apply appropriate input validation and sanitization to the post_id parameter in /pages/content.php to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious SQL Injection Attempts via POST ID” to identify potential exploitation attempts targeting the post_id parameter.
Monitor web server logs for suspicious requests containing SQL injection payloads in the post_id parameter.
Review and harden database server configurations to limit the privileges of the database user account used by the Simple IT Discussion Forum application.

Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5827)

hello@craftedsignal.io — Thu, 09 Apr 2026 01:16:50 +0000

A SQL injection vulnerability, identified as CVE-2026-5827, affects code-projects Simple IT Discussion Forum version 1.0. The vulnerability resides in the /question-function.php file and is triggered by manipulating the content argument. Successful exploitation allows a remote attacker to inject arbitrary SQL commands, potentially leading to data exfiltration, modification, or complete system compromise. This vulnerability is considered high risk due to its ease of exploitation and the sensitive nature of data often stored in forum databases. The exploit is publicly available, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing mitigations to prevent potential attacks against vulnerable Simple IT Discussion Forum instances.

Attack Chain

Attacker identifies a vulnerable Simple IT Discussion Forum 1.0 instance.
The attacker crafts a malicious HTTP request targeting /question-function.php.
The crafted request includes a SQL injection payload within the content argument.
The application fails to properly sanitize the input, passing the malicious SQL query to the database.
The database executes the injected SQL code.
The attacker can extract sensitive data, such as user credentials or forum content.
The attacker may modify data within the database, altering forum posts or user profiles.
In a worst-case scenario, the attacker gains complete control of the database server.

Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can gain unauthorized access to sensitive data, including user credentials, private messages, and other confidential information stored within the Simple IT Discussion Forum database. This can lead to identity theft, financial fraud, and reputational damage. Furthermore, attackers can modify or delete data, disrupt forum operations, or even gain complete control of the underlying server. Given the public availability of the exploit, unpatched instances are at significant risk of compromise.

Recommendation

Apply any available patches or updates for code-projects Simple IT Discussion Forum 1.0 to address CVE-2026-5827.
Implement input validation and sanitization on the /question-function.php file to prevent SQL injection attacks, specifically targeting the content argument.
Deploy a web application firewall (WAF) with rules to detect and block SQL injection attempts against /question-function.php.
Monitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the content parameter of requests to /question-function.php. Enable webserver logging to activate the rules below.
Deploy the Sigma rule to detect SQL injection attempts in web server logs.

PraisonAI Unauthenticated Agent Activity Exposure (CVE-2026-39889)

hello@craftedsignal.io — Wed, 08 Apr 2026 21:17:01 +0000

PraisonAI, a multi-agent teams system, is vulnerable to unauthenticated information disclosure in versions prior to 4.5.115. The vulnerability, identified as CVE-2026-39889, stems from the A2U (Agent-to-User) event stream server exposing sensitive agent activity without proper authentication. The create_a2u_routes() function registers several endpoints, including /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health, without implementing authentication checks. An attacker can exploit this flaw to gain unauthorized insight into agent operations within the PraisonAI system. This vulnerability was reported on April 8, 2026, and patched in version 4.5.115.

Attack Chain

The attacker identifies a PraisonAI instance running a version prior to 4.5.115.
The attacker sends an HTTP GET request to the /a2u/info endpoint.
The server responds with information about the available agent activity streams without requiring any authentication.
The attacker subscribes to a specific agent activity stream by sending an HTTP GET request to /a2u/subscribe.
The server provides the attacker with a stream ID, again without authentication.
The attacker then requests event data from the /a2u/events/{stream_name} endpoint, substituting {stream_name} with a valid stream name obtained from /a2u/info.
Alternatively, the attacker requests event data from the /a2u/events/sub/{id} endpoint, where ‘{id}’ is a stream ID obtained from /a2u/subscribe.
The server streams agent activity data to the attacker, enabling them to monitor agent actions and potentially extract sensitive information. The final objective is to gain unauthorized access to agent activity data.

Impact

Successful exploitation of CVE-2026-39889 can lead to the unauthorized disclosure of sensitive information related to agent activity within the PraisonAI system. This could include confidential data processed by the agents, internal operational details, and potentially credentials or API keys used by the agents. While the exact number of affected installations is unknown, any organization using PraisonAI versions prior to 4.5.115 is potentially vulnerable.

Recommendation

Upgrade PraisonAI installations to version 4.5.115 or later to remediate CVE-2026-39889.
Monitor web server logs for requests to the /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health endpoints without prior authentication. Consider deploying the Sigma rule provided below to detect such activity.
Implement network access controls to restrict access to the PraisonAI server to only authorized users and systems.

LORIS Directory Traversal Vulnerability

hello@craftedsignal.io — Wed, 08 Apr 2026 19:25:24 +0000

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application designed for data and project management in neuroimaging research. Versions 24.0.0 up to, but not including, 27.0.3 and 28.0.1 contain a directory traversal vulnerability (CVE-2026-35446) in the FilesDownloadHandler. This flaw stems from an incorrect order of operations, potentially enabling an attacker to escape the intended download directories and access sensitive files. Successful exploitation requires authentication and could lead to unauthorized access to sensitive research data. Users are advised to upgrade to versions 27.0.3 or 28.0.1 to mitigate this vulnerability. This vulnerability impacts organizations utilizing LORIS for managing sensitive neuroimaging data, potentially exposing research data.

Attack Chain

An attacker authenticates to the LORIS web application with valid credentials.
The attacker crafts a malicious HTTP request to the FilesDownloadHandler.
The crafted request includes a manipulated file path designed to traverse directories outside the intended download directory.
The FilesDownloadHandler processes the request with an incorrect order of operations when validating the file path.
The application bypasses the intended directory restrictions due to the flawed validation process.
The attacker gains access to files and directories outside of the designated download directory.
The attacker reads sensitive data, including neuroimaging data, project files, or configuration files.
The attacker may exfiltrate sensitive data for malicious purposes, such as espionage or sale on the dark web.

Impact

Successful exploitation of this directory traversal vulnerability (CVE-2026-35446) in LORIS could lead to unauthorized access to sensitive neuroimaging research data. The number of affected organizations is unknown, but any organization using LORIS versions 24.0.0 to before 27.0.3 and 28.0.1 is potentially vulnerable. The impact includes data breaches, intellectual property theft, and potential compromise of patient privacy if patient data is stored within the LORIS system.

Recommendation

Upgrade LORIS to version 27.0.3 or 28.0.1 to remediate CVE-2026-35446, as indicated in the overview.
Implement the “Detect LORIS Directory Traversal Attempt” Sigma rule to monitor for suspicious file download requests.
Review web server access logs for unusual file download patterns or attempts to access files outside the intended download directories using the file_event log source to detect potential exploitation attempts.

LORIS File Traversal Vulnerability (CVE-2026-34392)

hello@craftedsignal.io — Wed, 08 Apr 2026 19:25:21 +0000

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application used for data and project management in neuroimaging research. A critical file traversal vulnerability, identified as CVE-2026-34392, exists within the static file router of LORIS versions 20.0.0 to before 27.0.3 and 28.0.1. This flaw allows an unauthenticated attacker to access and download unintended files by manipulating requests to the /static, /css, and /js endpoints. Successful exploitation of this vulnerability can lead to the exposure of sensitive data, including configuration files, source code, and potentially patient information. The vulnerability is patched in versions 27.0.3 and 28.0.1. Organizations using vulnerable versions of LORIS should upgrade immediately.

Attack Chain

The attacker identifies a LORIS instance running a vulnerable version (20.0.0 to before 27.0.3 or 28.0.1).
The attacker crafts a malicious HTTP request targeting the /static, /css, or /js endpoints.
The crafted request includes a file traversal sequence (e.g., ../) in the URL to navigate outside the intended directory.
The LORIS static file router improperly handles the traversal sequence, failing to sanitize the requested path.
The webserver retrieves the file specified by the attacker, potentially including sensitive configuration files or source code.
The webserver responds with the contents of the requested file, which may contain sensitive information.
The attacker downloads the file and analyzes its contents for valuable information, such as database credentials or API keys.

Impact

Successful exploitation of CVE-2026-34392 can have severe consequences. An attacker can gain unauthorized access to sensitive files within the LORIS application. This can lead to the exposure of configuration files containing database credentials, API keys, or other sensitive data. The exposure of source code could also facilitate the discovery of other vulnerabilities. Depending on the files exposed, this could lead to further compromise of the LORIS system and potentially the underlying infrastructure, impacting the confidentiality and integrity of the research data managed by the system.

Recommendation

Upgrade LORIS to version 27.0.3 or 28.0.1 or later to patch CVE-2026-34392.
Implement web application firewall (WAF) rules to detect and block requests containing directory traversal sequences targeting the /static, /css, and /js endpoints.
Deploy the Sigma rules provided to detect exploitation attempts in web server logs.

CoolerControl-UI Stored XSS Vulnerability (CVE-2026-5301)

hello@craftedsignal.io — Wed, 08 Apr 2026 13:16:43 +0000

CoolerControl/coolercontrol-ui versions prior to 4.0.0 are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-5301. This flaw resides in the log viewer component of the application. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code into log entries. When a user views the log entries containing the malicious script, the script executes within their browser, potentially allowing the attacker to take over the CoolerControl service. The vulnerability was reported by GitLab Inc. and affects versions prior to the release of version 4.0.0. This is a high severity vulnerability because it allows unauthenticated attackers to perform actions as other users in the application.

Attack Chain

The attacker identifies a CoolerControl/coolercontrol-ui instance running a version prior to 4.0.0.
The attacker crafts a malicious log entry containing JavaScript code designed to execute arbitrary actions within a user’s session, such as stealing cookies or redirecting to a phishing site.
The attacker injects this malicious log entry into the CoolerControl/coolercontrol-ui system. The method of injection is not specified in the source but could involve exploiting other vulnerabilities or misconfigurations in the system.
A user, such as an administrator, accesses the log viewer within the CoolerControl/coolercontrol-ui interface.
The log viewer renders the malicious log entry, causing the injected JavaScript code to execute in the user’s browser.
The attacker gains control of the user’s session or performs other malicious actions, such as stealing credentials or injecting further malicious content into the application.
The attacker uses the compromised session to potentially escalate privileges and gain complete control over the CoolerControl service.

Impact

Successful exploitation of CVE-2026-5301 can lead to a complete compromise of the CoolerControl service. An attacker could gain unauthorized access to sensitive data, modify system configurations, or use the compromised system as a launchpad for further attacks. Given the nature of XSS vulnerabilities, impact is highly dependent on the privileges of the user whose session is compromised.

Recommendation

Upgrade CoolerControl/coolercontrol-ui to version 4.0.0 or later to remediate CVE-2026-5301.
Implement input validation and output encoding on all log entries to prevent the injection of malicious scripts.
Deploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for script execution in the context of the CoolerControl/coolercontrol-ui web application.

ChurchCRM Stored XSS Vulnerability in Person Property Management

hello@craftedsignal.io — Wed, 08 Apr 2026 12:00:00 +0000

ChurchCRM, an open-source church management system, is vulnerable to a stored cross-site scripting (XSS) attack affecting versions prior to 7.0.0. This vulnerability resides within the Person Property Management subsystem and stems from insufficient input sanitization when handling dynamically assigned person properties. An authenticated attacker can inject malicious JavaScript code, which is then persistently stored in the database. When other users view the compromised person’s profile or access the printable view of that profile, the injected script executes, potentially leading to session hijacking or complete account takeover. This issue impacts versions patched for CVE-2023-38766, highlighting a persistent weakness. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and data breaches. Users are advised to update to version 7.0.0 or later to remediate this vulnerability.

Attack Chain

Attacker authenticates to ChurchCRM with valid user credentials.
Attacker navigates to the Person Property Management section.
Attacker creates or modifies a dynamically assigned person property, injecting malicious JavaScript code into a property field. Example payload: .
The application stores the malicious payload in the database without proper sanitization.
A different user views the profile of the person with the compromised property.
The stored XSS payload is rendered within the user’s browser, executing the injected JavaScript code.
The attacker’s JavaScript code steals the user’s session cookie or redirects the user to a phishing page.
The attacker uses the stolen session cookie to hijack the user’s session and gain unauthorized access to the application, potentially escalating privileges and accessing sensitive data.

Impact

Successful exploitation of this stored XSS vulnerability can lead to session hijacking and full account compromise. Attackers could gain unauthorized access to sensitive church member data, modify records, or perform administrative functions within the ChurchCRM system. The impact ranges from data theft and privacy breaches to complete disruption of church management operations. Given the potential for widespread access to sensitive personal information, organizations are strongly advised to apply the necessary updates to mitigate this risk. The CVSS v3.1 base score for this vulnerability is 8.7, indicating a high severity.

Recommendation

Upgrade ChurchCRM to version 7.0.0 or later to patch the vulnerability (CVE-2026-35576).
Deploy the provided Sigma rule to detect potential XSS attempts via crafted property values.
Review and audit existing dynamically assigned person properties for suspicious script tags to identify potentially compromised records.
Implement input validation and output encoding to prevent future XSS vulnerabilities in ChurchCRM.

Emmett Web Framework Path Traversal Vulnerability (CVE-2026-39847)

hello@craftedsignal.io — Tue, 07 Apr 2026 22:16:23 +0000

The Emmett web framework, a full-stack Python framework, is susceptible to a path traversal vulnerability affecting versions 2.5.0 to prior to 2.8.1. Specifically, the RSGI static handler for Emmett’s internal assets (/emmett paths) does not properly sanitize user-supplied input, leading to CVE-2026-39847. By crafting malicious URLs containing “../” sequences, an unauthenticated attacker can bypass directory restrictions and access sensitive files residing outside the designated assets directory. Successful exploitation allows attackers to potentially read application source code, configuration files, or other sensitive data. Emmett users are urged to upgrade to version 2.8.1 or later to remediate this vulnerability. The vulnerability was reported on April 7th, 2026.

Attack Chain

The attacker identifies a vulnerable Emmett web application running a version between 2.5.0 and 2.8.1.
The attacker crafts a malicious HTTP GET request targeting a static asset under the /__emmett__ path.
The crafted URL includes “../” sequences to traverse up the directory structure from the intended assets directory. For example: /__emmett__/../../../../etc/passwd.
The web server receives the request and passes it to the vulnerable RSGI static handler.
Due to the lack of input sanitization, the handler processes the “../” sequences, allowing the attacker to navigate outside the assets directory.
The handler attempts to read the file specified in the manipulated path (e.g., /etc/passwd).
The server returns the contents of the requested file in the HTTP response.
The attacker obtains sensitive information from the server, potentially including configuration files, source code, or credentials.

Impact

Successful exploitation of this path traversal vulnerability (CVE-2026-39847) allows an attacker to read arbitrary files on the server hosting the Emmett web application. This can lead to the exposure of sensitive information such as application source code, configuration files containing database credentials, or even system files. The impact can range from information disclosure to complete compromise of the web application and potentially the underlying server. The severity is rated as critical with a CVSS v3.1 score of 9.1.

Recommendation

Upgrade Emmett to version 2.8.1 or later to patch CVE-2026-39847.
Deploy the Sigma rule “Detect Emmett Path Traversal Attempts” to your SIEM to identify exploitation attempts.
Monitor web server logs for suspicious URLs containing “../” sequences targeting the /__emmett__ path to identify potential exploit attempts.
Implement web application firewall (WAF) rules to block requests containing path traversal sequences.

ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)

hello@craftedsignal.io — Tue, 07 Apr 2026 18:16:44 +0000

ChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the {familyId} parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.

Attack Chain

An attacker authenticates to the ChurchCRM API with valid user credentials.
The attacker identifies a target familyId that they do not have explicit modification rights for.
The attacker crafts a malicious API request to one of the vulnerable endpoints: /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, or /family/{familyId}/geocode.
The attacker replaces the {familyId} parameter in the request URL with the target familyId.
For example, the attacker sends a POST request to /family/123/activate/false to deactivate family with ID 123.
Due to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary EditRecords privilege.
The target family’s state is modified (e.g., deactivated, marked as verified).
The attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.

Impact

Successful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.

Recommendation

Immediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.
Monitor web server logs for suspicious requests to the vulnerable API endpoints (/family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, /family/{familyId}/geocode) as detected by the Sigma rule “ChurchCRM Family ID Manipulation”.
Implement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.
Review and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.

WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-35395)

hello@craftedsignal.io — Mon, 06 Apr 2026 21:16:21 +0000

WeGIA (Web gerenciador para instituições assistenciais) is a web manager for charitable institutions. Versions prior to 3.6.9 are susceptible to a critical SQL injection vulnerability (CVE-2026-35395) found in the dao/memorando/DespachoDAO.php file. The id_memorando parameter, extracted from the $_REQUEST array, is directly incorporated into SQL queries without any validation or sanitization. This flaw enables authenticated users with low privileges to inject arbitrary SQL commands, potentially leading to complete database compromise. Successful exploitation could result in data breaches, modification of sensitive information, and denial-of-service conditions. Defenders should prioritize upgrading to version 3.6.9 or applying provided patches immediately.

Attack Chain

An authenticated user logs into the WeGIA web application.
The user navigates to a page that triggers the execution of dao/memorando/DespachoDAO.php.
The application extracts the id_memorando parameter from the $_REQUEST array using the HTTP GET or POST method.
The attacker crafts a malicious id_memorando parameter containing SQL injection payloads (e.g., 1; DROP TABLE users; --).
The application directly interpolates the attacker-controlled id_memorando parameter into an SQL query without proper sanitization within the DespachoDAO.php file.
The database server executes the injected SQL command, allowing the attacker to manipulate database records, read sensitive data, or execute arbitrary commands.
The attacker may exfiltrate sensitive data from the database, such as user credentials, financial information, or confidential memorandums.
The attacker achieves complete database compromise, potentially leading to a full system takeover.

Impact

The SQL injection vulnerability in WeGIA versions prior to 3.6.9 poses a significant risk to charitable institutions using the software. Successful exploitation can lead to unauthorized access to sensitive donor information, financial records, and confidential communications. The potential impact includes data breaches, financial losses, reputational damage, and legal liabilities. Given the nature of the targeted institutions, this vulnerability could severely disrupt their operations and erode public trust, potentially affecting thousands of individuals. Organizations that do not apply the patch are vulnerable to data breaches.

Recommendation

Immediately upgrade WeGIA to version 3.6.9 to remediate the SQL injection vulnerability described in CVE-2026-35395.
Implement input validation and sanitization for all user-supplied data, especially the id_memorando parameter in DespachoDAO.php, to prevent future SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious WeGIA SQL Injection Attempts” to your SIEM and tune it for your environment to detect exploitation attempts.
Monitor web server logs for suspicious requests containing SQL injection payloads targeting the dao/memorando/DespachoDAO.php endpoint.
Restrict database access privileges to the minimum required for WeGIA to function correctly.