All news with #sql injection tag

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 6.5) to its Known Exploited Vulnerabilities list after evidence of active exploitation. The vulnerability affects all supported Drupal Core versions and could enable privilege escalation and remote code execution via crafted requests using the database abstraction API. Patches were released across multiple 8.x–11.x branches, with manual patches required for Drupal 9.5 and 8.9.

🔒 Drupal has warned administrators that a "highly critical" SQL injection vulnerability, tracked as CVE-2026-9082, is being actively targeted in the wild. Discovered by Google/Mandiant researcher Michael Maturi, the flaw affects Drupal's database abstraction API and allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. Exploitation requires no authentication and can lead to remote code execution, privilege escalation, and data disclosure; Drupal has released updates and urges immediate patching.

🛡️ Drupal issued emergency updates addressing a "highly critical" SQL injection flaw tracked as CVE-2026-9082 in its database abstraction API that can be exploited against sites using PostgreSQL, allowing information disclosure and in some cases privilege escalation or remote code execution. The vendor released patched builds for supported 11.x and 10.x branches and published manual patches for EOL versions. Upstream Symfony and Twig fixes are also included in recent releases.

🚨Drupal administrators must apply an emergency core update to address a “highly critical” SQL injection defect (CVE-2026-9082) that affects sites using PostgreSQL. The release also bundles upstream fixes for Symfony and Twig, so Drupal urges updates even for non-Postgres deployments. Supported branches 11.3, 11.2, 10.6 and 10.5 are patched, while end-of-life versions may receive unsupported best-effort patches. The flaw permits anonymous attackers to send crafted requests resulting in arbitrary SQL injection, information disclosure, and potential privilege escalation or remote code execution.

🔒 The Avada Builder WordPress plugin contained two serious vulnerabilities impacting an estimated one million active installations. One flaw (CVE-2026-4782) allows authenticated users with subscriber access to read arbitrary server files via the plugin’s shortcode-rendering and the custom_svg parameter, exposing sensitive files like wp-config.php. The other issue (CVE-2026-4798) is a time-based blind SQL injection exploitable without authentication if WooCommerce was previously installed and then deactivated. Administrators are urged to update to Avada Builder 3.15.3 immediately.

⚠️ Two newly disclosed flaws in the Avada Builder WordPress plugin place roughly one million sites at risk of arbitrary file read (CVE-2026-4782, CVSS 6.5) and unauthenticated time-based SQL injection (CVE-2026-4798, CVSS 7.5). The issues were reported to Wordfence in March and fixed in 3.15.2 and fully resolved in 3.15.3. Site owners are urged to update immediately and audit subscriber accounts and wp-config.php for signs of compromise.

🔒 SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws affecting Commerce Cloud and S/4HANA. The most severe (CVE-2026-34263) is a missing authentication check in Commerce Cloud that can allow unauthenticated remote code execution via improper Spring Security configuration. The other critical (CVE-2026-34260) permits low-complexity SQL injection by attackers with basic privileges, risking sensitive data exposure and potential service crashes. SAP also patched one high and 11 medium-severity issues and reports no evidence of in-the-wild exploitation to date.

🔔 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-42208, a SQL injection affecting BerriAI LiteLLM. The agency cites evidence of active exploitation and notes that SQLi remains a common, high-risk vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by their due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.

⚠️ A critical SQL injection (CVE-2026-42208, CVSS 9.3) in the open-source LiteLLM Python gateway allowed unauthenticated attackers to inject SQL via a proxy API key check by placing crafted values in the Authorization header. Maintainers released 1.83.7-stable on April 19, 2026, to fix versions >=1.81.16 and <1.83.7. Security vendor Sysdig reported active exploitation within roughly 26–36 hours of disclosure, with probes focused on credential tables that store upstream LLM provider keys. Operators should update immediately or set disable_error_logs: true as a temporary mitigation.

🔓 LiteLLM's proxy contains a pre-auth SQL injection in its API key verification, tracked as CVE-2026-42208. An attacker can send a crafted Authorization header to any LLM API route to read and modify the proxy database, exposing API keys, master keys, provider credentials, and environment secrets. Exploitation was observed about 36 hours after public disclosure and targeted '/chat/completions'. Upgrade to 1.83.7 or apply the suggested workaround and rotate any exposed credentials.

🔒 CISA reports two high‑severity vulnerabilities (CVE‑2025‑14815, CVE‑2025‑14816) in Mitsubishi Electric GENESIS64, ICONICS Suite, and related products that may expose SQL Server credentials stored in local caches or displayed in the Hyper Historian Splitter GUI. Successful exploitation could enable disclosure, tampering, or denial of service on affected systems. Vendor updates are available (10.98+ for GENESIS64/ICONICS products and 11.03+ for GENESIS); administrators should disable local cache, delete cache files, prefer Windows authentication, and restrict administrative and remote access until patches are applied.

🔐 Fortinet has released an emergency hotfix for FortiClient Enterprise Management Server (EMS) to address a critical improper access control flaw tracked as CVE-2026-35616 (CVSS 9.1) that is being exploited in the wild. The vendor said the interim hotfix for EMS 7.4.5 and 7.4.6 fully prevents the issue and that a permanent fix will be included in 7.4.7. Security vendor Defused also reported a separate critical SQL injection, CVE-2026-21643 (CVSS 9.8), with active exploit activity; customers were urged to upgrade to 7.4.5 or later or at minimum disconnect the administrative web interface from the internet.

⚠️ A critical SQL injection, CVE-2026-21643, is being actively exploited against FortiClient EMS, allowing unauthenticated attackers to execute arbitrary SQL via crafted HTTP requests. The flaw affects EMS 7.4.4 when multi-tenant mode is enabled; Fortinet released 7.4.5 to remediate. Researchers note the endpoint returns database error messages and lacks lockout protections, enabling rapid data extraction and credential theft. Administrators should patch immediately, remove internet exposure, and inspect HTTP headers for anomalous SQL.

🔴 Threat intelligence firm Defused reports active exploitation of a critical SQL injection in Fortinet FortiClient EMS, tracked as CVE-2026-21643. The vulnerability lets unauthenticated attackers inject SQL via the HTTP 'Site' header to the EMS web GUI, enabling arbitrary code or command execution on unpatched systems. Fortinet fixed the issue in 7.4.5; administrators must upgrade immediately and block public access to EMS interfaces. Defused observed first exploitation four days after discovery and Shodan/Shadowserver data indicate many publicly exposed instances.

🔒 A high-severity SQL injection (CVE-2026-2313) in the Ally WordPress plugin from Elementor allows unauthenticated attackers to inject SQL via a URL parameter in versions up to 4.0.3. The flaw stems from improper sanitization in the get_global_remediations() method, where a user-supplied URL parameter is concatenated into an SQL JOIN clause. Exploitation is possible only if the plugin is connected to an Elementor account and the Remediation module is active. Elementor released a fix in version 4.1.0 on February 23, but roughly 250,000 sites remain unpatched; administrators should update Ally to 4.1.0 and install WordPress 6.9.2 immediately.

🔒 Tenable Research disclosed nine cross-tenant vulnerabilities, collectively named LeakyLooker, in Looker Studio that could allow attackers to run arbitrary SQL and access datasets across tenants. The flaws affected connectors including BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets and Cloud Storage and involved SQL injection, data leaks via report elements and a BigQuery denial-of-wallet issue. Google has applied global fixes to its fully managed service and no customer action is required, though organisations should review sharing settings and limit unused connectors.

⚠️ CISA reports two critical remote code execution vulnerabilities in InSAT MasterSCADA BUK-TS (all versions). CVE-2026-21410 enables SQL injection via the main web interface, and CVE-2026-22553 allows OS command injection through the MMadmServ interface. Both CVEs have CVSS v3.1 base scores of 9.8. CISA recommends minimizing network exposure, isolating control systems behind firewalls, using secure remote access, and contacting the vendor for guidance.

🔒 Amazon Relational Database Service (Amazon RDS) Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, including SQL Server 2022 Cumulative Update and KB5072936 (16.00.4230.2.v1). These GDRs address vulnerabilities described in CVE-2026-20803 and are recommended for production environments. You can apply the updates via the RDS Management Console, AWS SDK, or CLI, and consult the Amazon RDS Custom User Guide for upgrade procedures and best practices.

⚠️ Fortinet has issued updates to remediate a critical SQL injection vulnerability (CVE-2026-21643) in FortiClientEMS that could allow unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The flaw is rated CVSS 9.1 and affects FortiClientEMS 7.4.4; Fortinet advises upgrading to 7.4.5 or later. Gwendal Guégniaud is credited with reporting the issue, and users are urged to apply the fixes promptly.