CVE-2026-7083 - Vulnerability Details

- likeadmin-likeshop likeadmin_php dataTable Admin API DataTableLists.php queryResult sql injection

Description

A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php of the component dataTable Admin API. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-27

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from an unchecked user‑supplied parameter in the queryResult method of DataTableLists.php, enabling arbitrary SQL statements to be executed against the database. An attacker who can reach the Admin API endpoint can read, modify or delete data stored in the backend, compromising both confidentiality and integrity. The flaw does not provide direct code execution, but it does grant the attacker full control over database schema and contents.

Affected Systems

The issue exists in likeadmin‑likeshop’s likeadmin_php component for all releases up to and including version 1.9.6. Systems exposing the DataTable Admin API endpoint through that component are vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate exploitation risk. The EPSS score of less than 1% suggests that active exploitation is unlikely as of the current data, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote; a third‑party can trigger it by sending a crafted HTTP request to the vulnerable API, assuming no mitigating controls such as input validation or WAF are in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

likeadmin-likeshop

likeadmin_php

affected

Version	Status	Constraints
`1.9.0`	affected	—
`1.9.1`	affected	—
`1.9.2`	affected	—
`1.9.3`	affected	—
`1.9.4`	affected	—
`1.9.5`	affected	—
`1.9.6`	affected	—

No data.

Vendor Product Confidence Versions

Likeadmin-likeshop

Likeadmin Php

100%

Version	Status	Scheme	Platform
`1.9.0`	affected	semver	—
`1.9.1`	affected	semver	—
`1.9.2`	affected	semver	—
`1.9.3`	affected	semver	—
`1.9.4`	affected	semver	—
`1.9.5`	affected	semver	—
`1.9.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade likeadmin_php to a version later than 1.9.6 once a fix is released
Modify the queryResult implementation to use parameterized queries or prepared statements, ensuring all input is properly sanitized
Deploy a web application firewall rule set to detect and block typical SQL injection patterns targeting the Admin API endpoint

Generated by OpenCVE AI on April 28, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/likeadmin-likeshop/likeadmin_php/
https://github.com/likeadmin-likeshop/likeadmin_php/issues/8
https://vuldb.com/submit/799570
https://vuldb.com/vuln/359658
https://vuldb.com/vuln/359658/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Likeadmin-likeshop Likeadmin-likeshop likeadmin Php
Vendors & Products		Likeadmin-likeshop Likeadmin-likeshop likeadmin Php

Mon, 27 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php of the component dataTable Admin API. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		likeadmin-likeshop likeadmin_php dataTable Admin API DataTableLists.php queryResult sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/likeadmin-likeshop/likeadmin_php/ https://github.com/likeadmin-likeshop/likeadmin_php/issues/8 https://vuldb.com/submit/799570 https://vuldb.com/vuln/359658 https://vuldb.com/vuln/359658/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Likeadmin-likeshop Likeadmin Php

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T03:30:14.509Z

Updated: 2026-04-27T12:31:11.873Z

Reserved: 2026-04-26T08:03:03.732Z

Link: CVE-2026-7083

Vulnrichment

Updated: 2026-04-27T12:31:08.647Z

NVD

Status : Deferred

Published: 2026-04-27T04:16:09.723

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7083

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object