CVE-2026-52673 - Vulnerability Details

Description

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

Published: 2026-06-23

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a Classic SQL Injection flaw (CWE‑89) in the getDimensionsValues component of Cboard that permits a remote attacker to run arbitrary SQL commands, potentially leading to code execution on the underlying system.

Affected Systems

Cboard version 0.4.2 and all earlier releases are affected; vendor information is not disclosed.

Risk and Exploitability

With a CVSS score of 6.5 the risk is moderate and the EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the unsecured getDimensionsValues endpoint, requiring the attacker to craft a specially crafted request that injects malicious SQL.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the most recent Cboard patch or upgrade to the latest supported version that removes the vulnerable code.
Restrict external access to the getDimensionsValues endpoint by firewall rules or by requiring authenticated sessions.
Ensure that all user input reaching database queries is properly parameterized or escaped to eliminate injection vectors.

Generated by OpenCVE AI on June 23, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://cboard.com
https://gist.github.com/onehang01/93d233a8aef2fc73294c25db8ca3b424
https://www.chuguotech.com/#/

History

Tue, 23 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		SQL Injection in Cboard getDimensionsValues Enables Remote Code Execution

Tue, 23 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-89
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component
References		http://cboard.com https://gist.github.com/onehang01/93d233a8aef2fc73294c25db8ca3b424 https://www.chuguotech.com/#/

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-23T00:00:00.000Z

Updated: 2026-06-23T15:54:34.231Z

Reserved: 2026-06-08T00:00:00.000Z

Link: CVE-2026-52673

Vulnrichment

Updated: 2026-06-23T15:54:12.471Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-23T17:30:05Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object