Description
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Published: 2026-05-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind SQL injection in the ‘col’ parameter of the Activity Log endpoint, allowing an authenticated attacker to inject SQL and control database queries. By sending specially crafted payloads that create measurable delays, the attacker can extract sensitive information such as table names, column names, and data values. The flaw stems from improper input validation, classified as CWE‑89, and enables an attacker to read data from the database without visible output.

Affected Systems

Getfuelcms Fuel CMS version 1.4.13. No other versions are listed as vulnerable, and the product is specifically identified by this version.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates a medium‑to‑high severity, and because the attack requires authentication, it is less exploitable than a public flaw but still concerning. EPSS data is not available, so the likelihood of exploitation cannot be quantified at this time. The vulnerability is not included in CISA’s KEV catalog. The attack vector is internal; an attacker with legitimate user credentials can leverage the vulnerable endpoint to perform blind data extraction.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Fuel CMS release that addresses the blind SQL injection flaw.
  • If an upgrade cannot be performed immediately, restrict access to the Activity Log endpoint so that only privileged administrators can use it.
  • Continuously monitor request latency and patterns on the Activity Log endpoint for signs of exploitation attempts.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getfuelcms
Getfuelcms fuel Cms
Vendors & Products Getfuelcms
Getfuelcms fuel Cms

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Title Fuel CMS 1.4.13 Blind SQL Injection via col Parameter
First Time appeared Thedaylightstudio
Thedaylightstudio fuel Cms
Weaknesses CWE-89
CPEs cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.13:*:*:*:*:*:*:*
Vendors & Products Thedaylightstudio
Thedaylightstudio fuel Cms
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getfuelcms Fuel Cms
Thedaylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T13:50:17.798Z

Reserved: 2026-05-16T14:51:58.601Z

Link: CVE-2021-47980

cve-icon Vulnrichment

Updated: 2026-05-18T13:50:14.088Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T16:16:23.623

Modified: 2026-05-18T17:26:40.167

Link: CVE-2021-47980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:31Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')