Description
SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php.
Published: 2026-05-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the MixPHP Framework 2.x allows an attacker to inject arbitrary SQL statements through a specially crafted "on" array supplied to the joinOn function in BuildHelper.php. This injection can be used to read, modify, or delete data in the underlying database, compromising confidentiality, integrity, and potentially availability of the application. The weakness is a classic SQL injection vulnerability (CWE-89).

Affected Systems

The vulnerability affects all releases of MixPHP Framework from version 2.0 up to and including 2.2.17. No other products or vendors are listed as affected.

Risk and Exploitability

Because the flaw is triggered by a constructed input array, the exploitation requires the ability to influence the query construction, typically through the application’s normal data‑entry paths. No specific authentication requirements are stated, implying that the risk applies to any user who can supply the "on" array. The CVSS score of 6.5 indicates medium severity and, combined with the fact that the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalogue, the risk remains significant.

Generated by OpenCVE AI on May 2, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MixPHP Framework to a version later than 2.2.17 where the joinOn function sanitizes its inputs.
  • If an upgrade is not feasible, apply input validation to the "on" array so that only legitimate column names or properly escaped values are accepted.
  • Adopt prepared statements or parameterized queries in the database layer to eliminate the possibility of injection.
  • Restrict the functionality that builds join queries to trusted administrative users only.

Generated by OpenCVE AI on May 2, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in MixPHP Framework BuildHelper joinOn Function

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:36:33.152Z

Reserved: 2026-04-27T00:00:00.000Z

Link: CVE-2026-42475

cve-icon Vulnrichment

Updated: 2026-05-01T18:36:28.726Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:31.930

Modified: 2026-05-01T19:16:31.620

Link: CVE-2026-42475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses