CVE-2026-2122
SQL Injection in Xiaopi Panel WAF /demo.php Allows Remote Attack
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiaopi | panel | to 2026-01-26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2122 is a SQL injection vulnerability in the Xiaopi Panel up to version 20260126, specifically in an unknown function within the /demo.php file of the WAF Firewall component.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the argument 'ID' is not properly filtered or neutralized, allowing attackers to manipulate SQL commands."}, {'type': 'paragraph', 'content': 'This flaw enables attackers to bypass the firewall protections by using specially crafted injection statements with particular formats and encoding techniques.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely, and a public proof-of-concept exploit is available.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability compromises the confidentiality, integrity, and availability of the affected system.
An attacker exploiting this SQL injection flaw can execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or disruption of service.
Because the exploit can be launched remotely and is easy to execute, it poses a significant risk to systems using the affected Xiaopi Panel versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable Xiaopi Panel version up to 20260126, specifically targeting the /demo.php endpoint of the WAF Firewall component.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is by using Google dorking with the query: inurl:demo.php.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or test for the vulnerability on your system, you can try sending specially crafted HTTP requests manipulating the 'ID' parameter to check for SQL injection behavior."}, {'type': 'list_item', 'content': 'Example curl command to test for SQL injection on the vulnerable endpoint:'}, {'type': 'list_item', 'content': 'curl -v "http://[target]/demo.php?ID=1\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'Monitor logs for unusual SQL errors or unexpected behavior triggered by such requests.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Xiaopi Panel version with an alternative product, as no vendor patch or countermeasures have been reported.
Additionally, restrict access to the /demo.php endpoint by implementing network-level controls such as IP whitelisting or firewall rules to limit exposure.
Monitor your system for suspicious activity related to SQL injection attempts and consider deploying Web Application Firewall (WAF) rules that can detect and block SQL injection payloads.