CVE-2026-38581 - Vulnerability Details

- Remote SQL Injection in Thai Palliative LTE EZForm Endpoint

Description

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

Published: 2026-06-11

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the ezform.php script of the damasac Thai Palliative LTE application, where the idFormMain and id parameters are concatenated directly into SQL queries without any sanitization or use of parameterized statements. An attacker who can construct HTTP requests to /substudy/ezform.php can inject arbitrary SQL commands, potentially causing data disclosure, modification, or deletion. This is an injection flaw classified as CWE‑89.

Affected Systems

Any instance of damasac Thai Palliative LTE version 3.0 that hosts the ezform.php endpoint is susceptible. The vulnerability is triggered by remote HTTP requests carrying crafted values in the idFormMain or id parameters, so any machine exposed to the web interface of this application is at risk.

Risk and Exploitability

With a CVSS score of 9.8 the issue is extremely severe, and the absence of an EPSS value suggests the estimation of exploitation probability is not available, yet the flaw remains exploitable over the network. The vulnerability is not currently listed in the CISA KEV catalog, but its high severity and remote nature imply it could be actively targeted. Attackers can exploit the flaw from any remote location, bypassing authentication by simply sending malicious parameters, with potential to compromise the underlying database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Damasac

Thaipalliative Lte

80%

Version	Status	Scheme	Platform
`[0,3.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a patched version of the Thai Palliative LTE application once the vendor releases a fix.
Refactor the ezform.php code to use prepared statements or ORM frameworks that automatically escape input, ensuring that idFormMain and id values are never concatenated into SQL queries.
Deploy a web application firewall or input filtering mechanism that detects and blocks SQL injection patterns before they reach the application.
If an upgrade is not feasible, restrict access to the /substudy/ezform.php endpoint to trusted IP ranges or enforce strict authentication and authorization controls to limit the attack surface.

Generated by OpenCVE AI on June 11, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14
https://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38581.md

History

Thu, 11 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Damasac Damasac thaipalliative Lte
Vendors & Products		Damasac Damasac thaipalliative Lte

Thu, 11 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Remote SQL Injection in Thai Palliative LTE EZForm Endpoint

Thu, 11 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-89
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.
References		https://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14 https://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38581.md

Subscriptions

Damasac Thaipalliative Lte

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-11T00:00:00.000Z

Updated: 2026-06-11T14:40:29.371Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38581

Vulnrichment

Updated: 2026-06-11T14:39:58.204Z

NVD

Status : Deferred

Published: 2026-06-11T14:16:27.123

Modified: 2026-06-11T16:16:22.620

Link: CVE-2026-38581

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object