Description
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information.
Published: 2026-05-16
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting malicious code through the firstname parameter. By sending specially crafted POST requests to the insert.php endpoint, an attacker can alter SQL statements and potentially extract or modify sensitive database information. This vulnerability is categorized as CWE-89, reflecting a flaw in unvalidated input handling that leads to code execution within the database context, compromising confidentiality.

Affected Systems

The affected product is EgavilanMedia PHPCRUD 1.0, distributed by Egavilanmedia. No additional version details are provided beyond the 1.0 release. The vulnerability applies to installations that expose the insert.php endpoint and accept unfiltered firstname input.

Risk and Exploitability

The CVSS base score for this issue is 8.8, indicating high severity. Because the flaw does not require authentication and can be triggered via simple HTTP POST, the risk of exploitation is high. The EPSS score is not available, but the lack of a KEV listing does not diminish the need for immediate mitigation. An attacker can easily craft POST payloads and gain unauthorized access to database contents. The attack vector is external, over the network, exploiting the web application.

Generated by OpenCVE AI on May 16, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor update or patch that fixes the injection flaw in EgavilanMedia PHPCRUD 1.0.
  • Implement server‑side validation for the firstname field, allowing only expected characters.
  • Change database access code to use prepared statements or parameterized queries to eliminate concatenated SQL.

Generated by OpenCVE AI on May 16, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information.
Title EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:08.661Z

Reserved: 2026-02-01T11:24:18.720Z

Link: CVE-2021-47956

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:21.907

Modified: 2026-05-16T16:16:21.907

Link: CVE-2021-47956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses