Description
A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Assess Impact
AI Analysis

Impact

A flaw in QueryMine:sms allows an attacker to manipulate the ID argument of admin/editcourse.php and inject arbitrary SQL. The vulnerability is triggered by a GET request and can be exploited remotely, giving the attacker unauthenticated access to the database. The injection could lead to data exfiltration, unauthorized modification of records, or database compromise, representing a significant risk to confidentiality and integrity.

Affected Systems

The affected component is QueryMine:sms, specifically the admin/editcourse.php file. The vulnerability is present in versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593; the vendor has not published a fix and no newer releases are available at present.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, but the issue is publicly documented and can be exploited without authentication. The vulnerability is not listed in CISA KEV, yet its remote nature and SQL injection vector make it a noteworthy risk that could be leveraged by threat actors to compromise the database.

Generated by OpenCVE AI on April 18, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate the ID parameter to allow only numeric values before it is used in a query.
  • Refactor the database access code to employ prepared statements or other parameterized query techniques.
  • If code changes are infeasible, limit access to the admin interface through network controls or a web application firewall and monitor database logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Querymine
Querymine sms
Vendors & Products Querymine
Querymine sms

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Title QueryMine sms GET Request Parameter editcourse.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Querymine Sms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-17T12:45:11.275Z

Reserved: 2026-04-17T07:14:05.810Z

Link: CVE-2026-6488

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T13:16:14.603

Modified: 2026-04-17T13:16:14.603

Link: CVE-2026-6488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses