CVE-2026-1105
SQL Injection in EasyCMS /UserAction.class.php Allows Remote Exploit
Publication date: 2026-01-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| easycms | easycms | to 1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1105 is a SQL injection vulnerability in EasyCMS version 1.6, specifically in the /UserAction.class.php file. The vulnerability occurs because the _order parameter used in SQL queries is not properly sanitized, allowing attackers to inject malicious SQL code remotely without authentication. This can be exploited using time-based blind SQL injection techniques to manipulate the database. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to bypass authentication, gain administrator privileges, steal, modify, or delete sensitive data such as user passwords and personal information, execute system commands on the server, implant malware, and potentially take over the entire internal network. This can lead to severe security incidents including data breaches, server compromise, economic loss, reputational damage, and legal consequences. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the _order parameter in the /admin/user/index endpoint for SQL injection using tools like sqlmap. A proof-of-concept involves sending crafted POST requests to /index.php?s=/admin/user/index with manipulated _order parameters causing measurable delays, confirming time-based blind SQL injection. You can run a command such as: sqlmap -u "http://www.easycms.com/index.php?s=/admin/user/index" --data="_order=payload" --technique=T --dbms=MySQL to verify the injection. Additionally, Google dorking with queries like inurl:UserAction.class.php can help identify vulnerable targets. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement strict filtering and validation of the _order parameter to allow only alphanumeric characters and valid sorting keywords, rejecting special characters and SQL reserved words. 2) Refactor the SQL query construction in /UserAction.class.php to use parameterized queries or prepared statements instead of direct string concatenation. 3) Apply input and output encoding to escape malicious input. 4) Limit database user permissions to the minimum necessary, disallowing dangerous commands like DROP or EXECUTE. 5) Update the ThinkPHP framework and related components to secure versions. 6) Enable detailed logging and monitoring of database and web access, with real-time alerts for abnormal SQL activities. 7) Conduct security testing and validation after remediation using tools like sqlmap and penetration testing. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to gain unauthorized access to sensitive data such as user passwords, personal information, and commercial secrets, which can lead to data breaches. Such breaches can result in violations of data protection regulations like GDPR and HIPAA, potentially causing legal consequences, reputational damage, and regulatory penalties. Therefore, failure to address this SQL injection vulnerability negatively impacts compliance with common standards and regulations that require protection of sensitive data. [1]