CVE-2026-4189
Awaiting Analysis Awaiting Analysis - Queue
SQL Injection in phpipam Section Handler Enables Remote Exploits

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in phpipam up to 1.7.4. The impacted element is an unknown function of the file app/admin/sections/edit-result.php of the component Section Handler. Executing a manipulation of the argument subnetOrdering can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4189
EUVD
EUVD-2026-12249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpipam phpipam to 1.7.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-4189 is a SQL injection vulnerability in phpipam versions up to 1.7.4, specifically in the file app/admin/sections/edit-result.php within the Section Handler component.

The vulnerability arises from improper handling of the subnetOrdering parameter, which allows an authenticated administrator to inject malicious SQL commands that are stored and later executed when viewing subnets.

This is a second order SQL injection where the injected payload is stored in the database and executed later in an unsafe SQL query, particularly in the ORDER BY clause.

The injection is time-based blind and constrained by the database column length (VARCHAR(16)), limiting the payload size.

Exploitation requires administrative authentication and can be remotely performed. The vendor was notified but did not respond.


How can this vulnerability impact me? :

This vulnerability can impact the confidentiality, integrity, and availability of the affected phpipam system.

  • Confidentiality: An attacker could extract sensitive information from the database by injecting SQL commands.
  • Integrity: The attacker could manipulate or corrupt data by injecting arbitrary SQL commands.
  • Availability: Time-based SQL injection payloads like SLEEP() can cause delays or denial of service by making the system unresponsive.

Since exploitation requires administrative authentication, the attacker must have elevated privileges, but once exploited, the impact can be significant.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if your phpipam installation includes the vulnerable file `app/admin/sections/edit-result.php` and if the `subnetOrdering` parameter is being manipulated. One detection method is using Google dorking with the query `inurl:app/admin/sections/edit-result.php` to find potentially vulnerable targets.

Additionally, detection can be performed by testing for time-based SQL injection in the `subnetOrdering` parameter. For example, an authenticated administrator can attempt to set the `subnetOrdering` parameter to a payload like `SLEEP(5)` and observe if the response time increases significantly, indicating SQL injection.

  • Use Google dorking: `inurl:app/admin/sections/edit-result.php` to find vulnerable endpoints.
  • As an authenticated admin, send a POST request to `/app/admin/sections/edit-result.php` with `subnetOrdering=SLEEP(5)` and observe if the subnet listing response is delayed.
  • Monitor for unusual delays (e.g., ~20 seconds) in subnet list retrieval, which indicates successful time-based blind SQL injection.

What immediate steps should I take to mitigate this vulnerability?

There are no known official patches or mitigations published by the vendor for this vulnerability as of the disclosure date.

Immediate mitigation steps include restricting access to the vulnerable phpipam installation, especially limiting administrative access to trusted users only, since exploitation requires authenticated admin privileges.

Consider replacing phpipam with an alternative IP address management product that is not affected by this vulnerability.

  • Restrict administrative access to phpipam to trusted personnel only.
  • Monitor and audit admin activities for suspicious changes to the `subnetOrdering` parameter.
  • Consider disabling or limiting access to the vulnerable endpoint `/app/admin/sections/edit-result.php` if possible.
  • Plan to migrate to a secure alternative IP address management solution.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart