Description
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data theft and potential system compromise through arbitrary SQL execution
Action: Apply patch
AI Analysis

Impact

A SQL injection vulnerability exists in the GET request handler for the ID parameter within admin/deletecourse.php of QueryMine sms. By manipulating this argument, an attacker controlling the request can inject arbitrary SQL statements, potentially reading, modifying, or deleting database contents. The flaw can be triggered remotely, and public exploits have already been shared, indicating the threat is active.

Affected Systems

Any instance of QueryMine sms that still includes the affected codebase up to commit 7ab5a9ea196209611134525ffc18de25c57d9593 remains vulnerable. The vendor employs a rolling release model, so specific patched versions are not listed, and the organization has not provided a fixed version. All customers running the product without an updated build must consider this weakness.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate to high impact, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, relying on unsanitized user input. An exploit can execute arbitrary SQL on the underlying database, allowing attackers to exfiltrate sensitive data, alter records, or potentially elevate privileges if the database user has broader rights.

Generated by OpenCVE AI on April 18, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade QueryMine sms to the latest released version once it incorporates a fix for the deletecourse.php input validation bug, or apply a vendor‑supplied patch if available.
  • Deploy a Web Application Firewall or similar filtering layer to block SQL keywords and patterns in incoming GET parameters targeting admin/deletecourse.php.
  • Modify the application’s handling of the ID parameter to ensure it accepts only numeric values, rejecting or escaping any other input before inclusion in SQL statements.
  • If a patch is not yet available, disable or remove the deletecourse.php endpoint from the public interface through web server configuration or application settings to eliminate the attack surface.
  • Monitor database logs for anomalous queries and review access controls on administrative interfaces to detect and prevent unauthorized use of the vulnerable endpoint.

Generated by OpenCVE AI on April 18, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Querymine
Querymine sms
Vendors & Products Querymine
Querymine sms

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
Title QueryMine sms GET Request Parameter deletecourse.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Querymine Sms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-17T14:04:14.886Z

Reserved: 2026-04-17T07:14:12.921Z

Link: CVE-2026-6490

cve-icon Vulnrichment

Updated: 2026-04-17T14:04:05.817Z

cve-icon NVD

Status : Received

Published: 2026-04-17T14:16:34.983

Modified: 2026-04-17T14:16:34.983

Link: CVE-2026-6490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses