Description
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.
Published: 2026-05-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SimplePdo helper methods construct SQL by directly inserting an unquoted table name and data array keys into the query. This omission allows an attacker to embed SQL fragments through crafted array keys, giving full control over the executed statement. The vulnerability enables arbitrary SQL execution, potentially exposing, altering, or deleting application data and compromising confidentiality, integrity, and availability.

Affected Systems

Affected is the Flight PHP micro‑framework core library. All releases before version 3.18.1 contain the flaw, as the denial of safe identifier quoting is present in insert, update, and delete helpers.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score is unavailable, which does not lower the risk assessment. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely through web input where user data is passed directly to the helper methods; an attacker controlling array keys can trigger the injection. The condition for exploitation is that the application forwards user‑controlled data shapes to these helpers, a documented pattern in typical Flight usage. When present, exploitation could lead to any authority level the application possesses.

Generated by OpenCVE AI on May 13, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flight PHP core to version 3.18.1 or later, where the identifier quoting and validation have been added.
  • If an upgrade is not immediately possible, avoid using user‑controlled array keys in calls to SimplePdo::insert, ::update, or ::delete; instead, hardcode the table name and explicitly whitelist permissible columns.
  • Implement input validation to ensure that any values used as identifiers are strictly alphanumeric and correspond to known tables or columns before passing them to the helper methods.
  • Monitor application logs for failed query attempts or unexplained database activity that may indicate attempted exploitation.

Generated by OpenCVE AI on May 13, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xwqr-rcqg-22mr Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Flightphp
Flightphp core
Vendors & Products Flightphp
Flightphp core

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.
Title Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flightphp Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:44:19.900Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42550

cve-icon Vulnrichment

Updated: 2026-05-14T15:44:04.937Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T20:16:22.060

Modified: 2026-05-14T16:51:08.300

Link: CVE-2026-42550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:39Z

Weaknesses