Description
A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was found in CodeCanyon Perfex CRM in the AbstractKanban::applySortQuery function of AbstractKanban.php. The function improperly handles input arguments, allowing an attacker to inject arbitrary SQL via the sort query. This flaw can be exploited from a remote source and leads to unintended database queries, potentially exposing sensitive data or modifying data integrity.

Affected Systems

The vulnerability affects Perfex CRM products distributed through CodeCanyon, specifically all releases up to and including version 3.4.1. Systems running any of those versions are potentially exposed and should be evaluated for current deployment.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity. No EPSS score is available, but the exploit has already been published and is reported to be usable. The defect is not listed as a Known Exploited Vulnerability in CISA KEV. The attack vector is remote, which means an adversary can trigger the injection over a network connection by manipulating the sort query parameter.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Perfex CRM to a version newer than 3.4.1, ensuring the offending code is removed or fixed by the vendor.
  • Apply any vendor‑issued patch or update that addresses SQL handling in the Admin Kanban Endpoint.
  • If an immediate upgrade is not feasible, implement input validation and parameterized query handling for all parameters that influence SQL sorting to eliminate injection paths.
  • Deploy or strengthen web application firewall rules that block common SQL injection signatures on all publicly exposed endpoints.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Title CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T23:15:13.847Z

Reserved: 2026-05-04T15:58:28.090Z

Link: CVE-2026-7783

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T00:16:17.460

Modified: 2026-05-05T00:16:17.460

Link: CVE-2026-7783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T00:30:11Z

Weaknesses