| Title | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 https://github.com/TeamEasy/EasyCMS |
|---|
| Description | There exists a SQL injection vulnerability in the /RbacnodeAction.class.php file of EasyCMS v1.6. This vulnerability arises because the _order parameter in the code is not effectively filtered and is directly concatenated into SQL query statements.
Attackers can capture the relevant POST request packets, insert malicious SQL statement markers into the parameters, launch attacks with tools such as sqlmap, and obtain database permissions via the time-based blind injection method. This vulnerability allows attackers to bypass authentication, steal sensitive data, tamper with database information, and even execute system commands to take control of the server. It will trigger severe security incidents such as data leakage and server compromise, posing an enormous threat to system security and data confidentiality.
|
|---|
| Source | ⚠️ https://github.com/ueh1013/VULN/issues/19 |
|---|
| User | zzzh (UID 94773) |
|---|
| Submission | 02/24/2026 04:04 (2 months ago) |
|---|
| Moderation | 03/08/2026 08:03 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349752 [EasyCMS up to 1.6 Request Parameter RbacnodeAction.class.php _order sql injection] |
|---|
| Points | 20 |
|---|