Description
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Published: 2026-05-16
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind SQL injection in the ‘col’ parameter of the Activity Log endpoint, allowing an authenticated attacker to inject SQL and control database queries. By sending specially crafted payloads that create measurable delays, the attacker can extract sensitive information such as table names, column names, and data values. The flaw stems from improper input validation, classified as CWE‑89, and enables an attacker to read data from the database without visible output.

Affected Systems

Getfuelcms Fuel CMS version 1.4.13. No other versions are listed as vulnerable, and the product is specifically identified by this version.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates a medium‑to‑high severity, and because the attack requires authentication, it is less exploitable than a public flaw but still concerning. EPSS data is not available, so the likelihood of exploitation cannot be quantified at this time. The vulnerability is not included in CISA’s KEV catalog. The attack vector is internal; an attacker with legitimate user credentials can leverage the vulnerable endpoint to perform blind data extraction.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Fuel CMS release that addresses the blind SQL injection flaw.
  • If an upgrade cannot be performed immediately, restrict access to the Activity Log endpoint so that only privileged administrators can use it.
  • Continuously monitor request latency and patterns on the Activity Log endpoint for signs of exploitation attempts.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Title Fuel CMS 1.4.13 Blind SQL Injection via col Parameter
First Time appeared Thedaylightstudio
Thedaylightstudio fuel Cms
Weaknesses CWE-89
CPEs cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.13:*:*:*:*:*:*:*
Vendors & Products Thedaylightstudio
Thedaylightstudio fuel Cms
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Thedaylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:19.913Z

Reserved: 2026-05-16T14:51:58.601Z

Link: CVE-2021-47980

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.623

Modified: 2026-05-16T16:16:23.623

Link: CVE-2021-47980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:15:26Z

Weaknesses