| Title | foxcms <=1.2.6 SQL Injection |
|---|
| Description | The backend provides the ability to execute commands, directly receiving SQL statements submitted by users and calling Db::query() / Db::execute() to execute them. The code only intercepts DROP through string inclusion checks, but does not restrict high-risk statements like UPDATE/INSERT/DELETE/ALTER/CREATE/TRUNCATE/RENAME, nor does it implement parameterization, syntax whitelisting, or read-only mode restrictions. ... |
|---|
| Source | ⚠️ https://github.com/WAz1nR9/CVE/blob/main/FoxCMS_SQL |
|---|
| User | WAz1nR9 (UID 96839) |
|---|
| Submission | 03/27/2026 04:47 (25 days ago) |
|---|
| Moderation | 04/19/2026 07:13 (23 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 307443 [FoxCMS 1.2.5 DataBackup.php executeCommand sql injection] |
|---|
| Points | 0 |
|---|