Description
PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to extract sensitive database information.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Data Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an SQL injection flaw in PilusCart 1.4.1 that allows an unauthenticated attacker to manipulate database queries through the 'send' POST parameter. By sending crafted RLIKE-based boolean payloads to the comment submission endpoint, an attacker can extract sensitive database information. This flaw is classified as CWE-89 and leads to confidentiality compromise by exposing protected data.

Affected Systems

Only the PilusCart 1.4.1 installation is affected. The product is provided by PilusCart, and version 1.4.1 lacks the necessary input validation or prepared statements for the 'send' parameter. Older versions prior to 1.4.1 are not impacted, and no other product versions were identified as vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. Exploitation requires a simple unauthenticated POST request to the comment endpoint, making the attack vector likely to be web-based. While EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the high CVSS score and lack of defenses make it a significant risk for exposed installations. Attackers can leverage the flaw to gain unauthorized access to database contents without authentication.

Generated by OpenCVE AI on April 5, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PilusCart to the latest version that patches the SQL injection vulnerability.
  • If an update is not immediately possible, restrict the 'send' parameter to allow only alphanumeric characters, remove any special characters, and reject suspicious input before processing.
  • Additionally, implement application-layer web filtering or WAF rules that block obvious SQL injection patterns targeting the comment endpoint.

Generated by OpenCVE AI on April 5, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Pilus
Pilus piluscart
Vendors & Products Pilus
Pilus piluscart

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to extract sensitive database information.
Title PilusCart 1.4.1 SQL Injection via send Parameter
First Time appeared Kartatopia
Kartatopia piluscart
Weaknesses CWE-89
CPEs cpe:2.3:a:kartatopia:piluscart:1.4.1:*:*:*:*:*:*:*
Vendors & Products Kartatopia
Kartatopia piluscart
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kartatopia Piluscart
Pilus Piluscart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:02:53.502Z

Reserved: 2026-04-05T13:16:57.228Z

Link: CVE-2019-25672

cve-icon Vulnrichment

Updated: 2026-04-06T17:59:09.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:44.943

Modified: 2026-04-09T19:37:13.763

Link: CVE-2019-25672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:36Z

Weaknesses