Description
A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the checkUsername function of PbootCMS’s MemberController, allowing an attacker to manipulate the Username parameter and inject arbitrary SQL. This flaw enables a remote attacker to bypass authentication, read, modify, or delete database records, and potentially gain full control over application data. The weakness is a classic SQL Injection, identified by CWE-74 and CWE-89, which directly compromises confidentiality and integrity of the database.

Affected Systems

PbootCMS versions up to 3.2.12 are affected. The vulnerability occurs in the Member Login component of the applications located in apps/home/controller/MemberController.php.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. The exploit is publicly available, meaning it can be accessed over the network without specialized infrastructure. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog, but the remote nature and public availability increase the practical risk. The attacker would need only a crafted request to the login endpoint to exploit the flaw.

Generated by OpenCVE AI on March 20, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the PbootCMS website or repository for a patch that removes the SQL injection in checkUsername and apply the updated version (e.g., 3.2.13 or later).
  • If a patch is not yet available, isolate the affected system from external network traffic or place the login endpoint behind a web application firewall configured to block SQL injection patterns.

Generated by OpenCVE AI on March 20, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title PbootCMS Member Login MemberController.php checkUsername sql injection
First Time appeared Pbootcms
Pbootcms pbootcms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:pbootcms:pbootcms:*:*:*:*:*:*:*:*
Vendors & Products Pbootcms
Pbootcms pbootcms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pbootcms Pbootcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-24T15:38:50.856Z

Reserved: 2026-03-20T14:25:45.837Z

Link: CVE-2026-4508

cve-icon Vulnrichment

Updated: 2026-03-24T15:38:10.225Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:48.493

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-4508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:19Z

Weaknesses