Description
A vulnerability has been found in Song-Li cross_browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachine_app.py of the component details Endpoint. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch ASAP
AI Analysis

Impact

A flaw in Song‑Li cross_browser allows a remote actor to manipulate the ID argument supplied to the Details Endpoint in flask/uniquemachine_app.py. By injecting specially crafted SQL into this parameter, an attacker can cause the server to execute arbitrary SQL statements against the underlying database, potentially reading, modifying, or deleting records. The vulnerability is classified as an SQL injection (CWE‑89) and is further compounded by a lack of input validation (CWE‑74).

Affected Systems

The flaw affects all releases of Song‑Li cross_browser up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a. Because the product follows a rolling release model, precise version identifiers are not available. Any currently deployed instance that has not applied an undisclosed fix remains vulnerable. The vendor has not responded to the disclosure, so no official patch is available as of the time of reporting.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level, while the absence of an EPSS score and exclusion from CISA’s KEV catalog suggest the attack is not already widespread. Nevertheless, the exploitation path is straightforward: a remote user sends an HTTP request with a malicious ID payload; if the application fails to sanitize the input, the injected SQL is executed against the database. The attacker could obtain confidential data, alter application state, or erase critical records. Because the vendor has not released a fix and does not appear to acknowledge the vulnerability, the risk remains high for any exposed instance.

Generated by OpenCVE AI on April 5, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Song‑Li cross_browser to the latest release as soon as a patch is available
  • Validate and sanitize all incoming ID parameters before using them in SQL queries
  • Configure the database user used by the application with the least privilege necessary for its functions
  • Deploy a web application firewall to detect and block SQL injection patterns
  • Regularly review application logs for suspicious database activities

Generated by OpenCVE AI on April 5, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Song-li
Song-li cross Browser
Vendors & Products Song-li
Song-li cross Browser

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Song-Li cross_browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachine_app.py of the component details Endpoint. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title Song-Li cross_browser details Endpoint uniquemachine_app.py sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Song-li Cross Browser
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:50:29.389Z

Reserved: 2026-04-04T14:50:46.154Z

Link: CVE-2026-5577

cve-icon Vulnrichment

Updated: 2026-04-06T14:46:33.998Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T16:16:19.683

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:34Z

Weaknesses