Description
A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint.
Published: 2026-03-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Immediate Patch
AI Analysis

Impact

A classic SQL injection flaw exists in Support Board version 3.7.7, where an attacker can use the calls[0][message_ids][] parameter in the /supportboard/include/ajax.php endpoint to read, create, update, and delete data from the backend database. The vulnerability allows direct manipulation of the SQL statements executed by the application, giving full control over stored data.

Affected Systems

The affected product is Schiocco Support Board. The vulnerability is present in version 3.7.7. The vendor has released an official fix in version 3.7.8, published in February 2025.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity condition. The EPSS metric is below 1 % and the issue is not listed in the CISA KEV catalog, indicating that publicly documented exploits are unlikely at this time. The attack vector is inferred to be remote, as the vulnerable endpoint is reachable via standard web requests on the public or internal network. If exploited, an attacker could compromise the confidentiality, integrity, and availability of the database, potentially exposing sensitive information or disrupting service.

Generated by OpenCVE AI on March 26, 2026 at 17:08 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.

OpenCVE Recommended Actions

  • Update to Support Board version 3.7.8 or later as issued by Schiocco

Generated by OpenCVE AI on March 26, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:schiocco:support_board:*:*:*:*:*:wordpress:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php' endpoint.
Title SQL Injection vulnerability in Support Board
First Time appeared Schiocco
Schiocco support Board
Weaknesses CWE-89
CPEs cpe:2.3:a:schiocco:support_board:*:*:*:*:*:*:*:*
cpe:2.3:a:schiocco:support_board:3.7.8:*:*:*:*:*:*:*
Vendors & Products Schiocco
Schiocco support Board
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schiocco Support Board
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-25T17:41:55.649Z

Reserved: 2026-03-25T13:28:13.496Z

Link: CVE-2026-4815

cve-icon Vulnrichment

Updated: 2026-03-25T17:41:52.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T14:16:40.120

Modified: 2026-03-26T14:53:45.080

Link: CVE-2026-4815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:47:10Z

Weaknesses