CVE-2026-7389
Received Received - Intake
SQL Injection in EyouCMS up to 1.7.9

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7389
EUVD
EUVD-2026-26252
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eyoucms eyoucms to 1.7.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a SQL injection in EyouCMS up to version 1.7.9, which can be exploited remotely. Such vulnerabilities can lead to unauthorized access or manipulation of sensitive data.

While the provided information does not explicitly mention compliance impacts, SQL injection vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of standards like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could potentially lead to non-compliance with regulations that require protection of personal or sensitive data.

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted HTTP requests targeting the article list endpoint of EyouCMS, specifically those manipulating the `sort_asc` parameter in the `GetSortData()` function. These requests may contain unusual SQL syntax such as `NOT BETWEEN` or other time-based blind SQL injection payloads.

To detect exploitation attempts, you can use network monitoring tools or web server logs to identify suspicious requests with unusual parameters in the URL or POST data.

Example command using curl to test for the vulnerability by sending a crafted request:

  • curl -v 'http://target-site/path/to/article/list?sort_asc=1%20NOT%20BETWEEN%201%20AND%202'

Additionally, you can use tools like sqlmap to automate detection and exploitation testing against the vulnerable parameter:

  • sqlmap -u 'http://target-site/path/to/article/list?sort_asc=1' --risk=3 --level=5 --dbs
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the vulnerable endpoint by implementing firewall rules or web application firewall (WAF) rules to block suspicious requests containing SQL injection patterns in the `sort_asc` parameter.
  • Disable or restrict the sorting functionality that uses the `sort_asc` parameter until a patch or fix is available.
  • Monitor logs closely for any signs of exploitation attempts and respond accordingly.
  • If possible, apply input validation and sanitization on the `sort_asc` parameter to prevent SQL injection.
  • Consider isolating or taking the affected system offline if exploitation is suspected.
Executive Summary

This vulnerability exists in EyouCMS versions up to 1.7.9 in the GetSortData() function located in application/common.php. It involves the sort_asc parameter, which is directly concatenated into an SQL ORDER BY clause without proper validation or sanitization.

Because of this, unauthenticated attackers can perform time-based blind SQL injection attacks by sending specially crafted requests to the article list page. This allows them to access the database, including extracting admin credentials stored as bcrypt hashes.

The vulnerability was introduced in version 1.5.4 when sorting functionality was added and remains unpatched. Attackers can bypass weak input filters using techniques like the NOT BETWEEN syntax.

Impact Analysis

Exploitation of this vulnerability can lead to full database access by unauthenticated attackers.

Attackers can extract sensitive information such as admin credentials, which are stored as bcrypt hashes.

With the obtained credentials, attackers may gain access to the admin panel, potentially resulting in complete system compromise.

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted HTTP requests targeting the article list endpoint of EyouCMS, specifically those manipulating the `sort_asc` parameter in the `GetSortData()` function.

To detect potential exploitation attempts, you can look for unusual or suspicious requests containing SQL injection payloads in the `sort_asc` parameter, such as usage of SQL syntax like `NOT BETWEEN` or other time-based blind SQL injection patterns.

Example command using curl to test for the vulnerability by sending a crafted request might be:

  • curl -v 'http://target-site/path-to-article-list?sort_asc=1%20NOT%20BETWEEN%201%20AND%202'

Additionally, monitoring web server logs or using intrusion detection systems (IDS) to flag requests with suspicious SQL syntax in parameters can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and disabling or filtering the `sort_asc` parameter to prevent injection of malicious SQL code.

If possible, apply input validation and sanitization on the `sort_asc` parameter to ensure only expected values are accepted.

Since the vulnerability is in EyouCMS versions up to 1.7.9 and remains unfixed, consider upgrading to a patched version once available or applying custom patches to fix the SQL injection in the `GetSortData()` function.

In the meantime, monitor logs for suspicious activity and consider implementing web application firewall (WAF) rules to block malicious payloads targeting this vulnerability.

Executive Summary

This vulnerability exists in EyouCMS versions up to 1.7.9, specifically in the function GetSortData within the file application/common.php. It occurs due to improper handling of the argument sort_asc, which allows an attacker to perform SQL injection.

SQL injection is a type of security flaw where an attacker can manipulate a database query by injecting malicious SQL code through input parameters.

The attack can be initiated remotely, meaning an attacker does not need local access to exploit this vulnerability.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to or manipulation of the database used by EyouCMS.

Potential impacts include data leakage, data corruption, or unauthorized modification of data.

Since the vulnerability allows remote exploitation without authentication, it increases the risk of compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart