Description
Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data.
Published: 2026-05-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Smartshop 1 includes a time‑based blind SQL injection flaw (identified as CWE‑89) exposed through the 'searched' parameter in search.php. Attackers do not need authentication and can send crafted GET requests, such as those containing SLEEP functions, to cause delays and infer database contents. This allows extraction of sensitive data, including product and system information, effectively compromising confidentiality.

Affected Systems

The vulnerability affects the Behance Smartshop 1 e‑commerce platform. No specific version range is provided, so all installations of Smartshop 1 are potentially impacted.

Risk and Exploitability

With a CVSS score of 8.8 the flaw qualifies as high severity. The EPSS score is unavailable, and it is not listed in the CISA KEV catalog, but the lack of authentication and the ability to harvest data through benign HTTP requests make exploitation likely for attackers with web access. The attack vector is a direct web request to the vulnerable endpoint, enabling attackers to extract information without further privileges.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update for Smartshop 1 that addresses the SQL injection (CWE‑89) flaw.
  • If no update is available, disable or restrict access to search.php until remediation is applied.
  • Deploy a web application firewall or intrusion detection system configured to detect and block SQL injection attempts targeting the 'searched' parameter.
  • Ensure the application uses prepared statements or other input‑validation techniques for the 'searched' parameter in order to eliminate the injection vector.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Behance
Behance smartshop
Vendors & Products Behance
Behance smartshop

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data.
Title Smartshop 1 SQL Injection via search.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Behance Smartshop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T18:23:21.353Z

Reserved: 2026-05-23T14:42:30.568Z

Link: CVE-2018-25342

cve-icon Vulnrichment

Updated: 2026-05-26T18:23:07.803Z

cve-icon NVD

Status : Deferred

Published: 2026-05-23T19:16:54.067

Modified: 2026-05-26T19:47:48.987

Link: CVE-2018-25342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:33:32Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')