Description
Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.
Published: 2026-04-15
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in Slah CMS versions 1.5.0 and earlier permits unauthenticated users to inject arbitrary SQL through the id parameter on the vereador_ver.php endpoint. The injection can read, modify, or delete database records, exposing confidential data and compromising application integrity. The weakness corresponds to CWE‑89.

Affected Systems

Any deployment of Slah CMS running version 1.5.0 or older is vulnerable. The affected code resides in vereador_ver.php and is accessible through the web interface. Administrators should confirm the CMS version and review exposure of this endpoint.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. With no EPSS data and absence from the KEV catalog, precise exploitation likelihood remains unknown, yet the flaw is readily exploitable over HTTP by any user who can reach the site. Because the id parameter is user‑controlled and no authentication is required, attackers can perform data exfiltration, corruption, or deletion. The risk remains significant for unpatched systems.

Generated by OpenCVE AI on April 15, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the most recent Slah CMS release beyond 1.5.0
  • Implement input validation or prepared statements for the id parameter in vereador_ver.php to prevent SQL injection
  • Limit access to the vereador_ver.php endpoint to authenticated administrators or block it from public exposure

Generated by OpenCVE AI on April 15, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via vereador_ver.php in Slah CMS

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Slah Cms
Slah Cms slah Cms
Vendors & Products Slah Cms
Slah Cms slah Cms

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.
References

Subscriptions

Slah Cms Slah Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T17:23:41.420Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-30995

cve-icon Vulnrichment

Updated: 2026-04-15T17:23:17.347Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:04.337

Modified: 2026-04-15T18:17:00.040

Link: CVE-2026-30995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses