Description
Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data.
Published: 2026-05-23
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Smartshop 1 includes a time‑based blind SQL injection flaw (identified as CWE‑89) exposed through the 'searched' parameter in search.php. Attackers do not need authentication and can send crafted GET requests, such as those containing SLEEP functions, to cause delays and infer database contents. This allows extraction of sensitive data, including product and system information, effectively compromising confidentiality.

Affected Systems

The vulnerability affects the Behance Smartshop 1 e‑commerce platform. No specific version range is provided, so all installations of Smartshop 1 are potentially impacted.

Risk and Exploitability

With a CVSS score of 8.8 the flaw qualifies as high severity. The EPSS score is unavailable, and it is not listed in the CISA KEV catalog, but the lack of authentication and the ability to harvest data through benign HTTP requests make exploitation likely for attackers with web access. The attack vector is a direct web request to the vulnerable endpoint, enabling attackers to extract information without further privileges.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update for Smartshop 1 that addresses the SQL injection (CWE‑89) flaw.
  • If no update is available, disable or restrict access to search.php until remediation is applied.
  • Deploy a web application firewall or intrusion detection system configured to detect and block SQL injection attempts targeting the 'searched' parameter.
  • Ensure the application uses prepared statements or other input‑validation techniques for the 'searched' parameter in order to eliminate the injection vector.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data.
Title Smartshop 1 SQL Injection via search.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:45.008Z

Reserved: 2026-05-23T14:42:30.568Z

Link: CVE-2018-25342

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T20:00:11Z

Weaknesses