Description
SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.
Published: 2026-05-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in MixPHP Framework 2.x through 2.2.17 allows an attacker to inject arbitrary SQL commands via a crafted data array passed to the data function in BuildHelper.php. This weakness, identified as CWE‑89, can enable unauthorized database access, data theft or modification, and potentially compromise system integrity. The description indicates that injection occurs when the application constructs SQL queries without proper sanitization, meaning successful exploitation could lead to privileged information disclosure or data tampering.

Affected Systems

MixPHP Framework versions 2.0 through 2.2.17 are affected. The vulnerability is present in the BuildHelper.php file that handles database query construction based on user-supplied data arrays.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5 and no EPSS score is available, but its nature as a classic SQL injection suggests a high exploitation risk, especially if the database credentials have broad privileges. Attackers would need to deliver a crafted input array via an application interface, likely over HTTP. Successful exploitation could result in data exfiltration, alteration, or denial of service. The lack of an official KEV listing does not indicate lower risk, as it simply reflects the absence of a catalog entry.

Generated by OpenCVE AI on May 2, 2026 at 00:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MixPHP Framework release that removes the vulnerability (any version after 2.2.17 if released).
  • Configure the database user used by the framework with the minimum privileges necessary (e.g., read‑only access for read queries).
  • Ensure that all inputs to database queries are properly validated or parameterized; for existing code, review the BuildHelper.php data function to implement safe query construction.

Generated by OpenCVE AI on May 2, 2026 at 00:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in MixPHP BuildHelper Data Function

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:33:37.878Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42474

cve-icon Vulnrichment

Updated: 2026-05-01T18:33:32.777Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:31.813

Modified: 2026-05-01T19:16:31.460

Link: CVE-2026-42474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:15:06Z

Weaknesses