Description
A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was found in CodeCanyon Perfex CRM in the AbstractKanban::applySortQuery function of AbstractKanban.php. The function improperly handles input arguments, allowing an attacker to inject arbitrary SQL via the sort query. This flaw can be exploited from a remote source and leads to unintended database queries, potentially exposing sensitive data or modifying data integrity.

Affected Systems

The vulnerability affects Perfex CRM products distributed through CodeCanyon, specifically all releases up to and including version 3.4.1. Systems running any of those versions are potentially exposed and should be evaluated for current deployment.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity. No EPSS score is available, but the exploit has already been published and is reported to be usable. The defect is not listed as a Known Exploited Vulnerability in CISA KEV. The attack vector is remote, which means an adversary can trigger the injection over a network connection by manipulating the sort query parameter.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Perfex CRM to a version newer than 3.4.1, ensuring the offending code is removed or fixed by the vendor.
  • Apply any vendor‑issued patch or update that addresses SQL handling in the Admin Kanban Endpoint.
  • If an immediate upgrade is not feasible, implement input validation and parameterized query handling for all parameters that influence SQL sorting to eliminate injection paths.
  • Deploy or strengthen web application firewall rules that block common SQL injection signatures on all publicly exposed endpoints.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Codecanyon
Codecanyon perfex Crm
Vendors & Products Codecanyon
Codecanyon perfex Crm

Mon, 04 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Title CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codecanyon Perfex Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-06T14:01:06.952Z

Reserved: 2026-05-04T15:58:28.090Z

Link: CVE-2026-7783

cve-icon Vulnrichment

Updated: 2026-05-06T14:01:03.425Z

cve-icon NVD

Status : Deferred

Published: 2026-05-05T00:16:17.460

Modified: 2026-05-05T19:10:02.317

Link: CVE-2026-7783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:28Z

Weaknesses