CVE-2026-37505
Analyzed Analyzed - Analysis Complete
SQL Injection in V2Board thru 1.7.4

Publication date: 2026-05-01

Last updated on: 2026-05-11

Assigner: MITRE

Description
SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, remember_token, and other sensitive fields, enabling information disclosure through ordering analysis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-37505
EUVD
EUVD-2026-26669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
v2board v2board to 1.7.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated admin to perform SQL injection via the ORDER BY clause, enabling information disclosure of sensitive fields such as passwords and tokens.

This unauthorized exposure of sensitive user data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the disclosure of passwords and authentication tokens increases the risk of data breaches, which must be reported under these regulations and can result in legal and financial penalties.

Detection Guidance

This vulnerability involves SQL injection via the ORDER BY clause in the Admin/UserController.php file, specifically through the sort parameter. Detection involves monitoring for unusual or unauthorized SQL queries or attempts to manipulate the sort parameter with unexpected values.

Since the vulnerability requires authenticated admin access, detection can include auditing admin actions and looking for suspicious sorting parameters that include SQL keywords or unexpected column names.

Commands to detect potential exploitation attempts might include:

  • Review web server logs or application logs for requests to Admin/UserController.php with unusual sort parameters.
  • Use grep or similar tools to search logs for SQL keywords in sort parameters, e.g., `grep -i 'sort=.*\b(SELECT|UNION|ORDER|DROP)\b' /path/to/logs`.
  • Monitor database query logs for ORDER BY clauses containing unexpected or non-whitelisted column names.
  • If possible, enable query logging on the database and filter for queries with ORDER BY clauses that include suspicious input.
Mitigation Strategies

Immediate mitigation steps include validating and sanitizing the sort parameter and the sort direction before they are used in the ORDER BY clause.

Specifically:

  • Implement a hard-coded allowlist of acceptable column names that can be used for sorting.
  • Explicitly check and restrict the sort direction to only 'ASC' or 'DESC'.
  • Avoid directly concatenating user input into SQL queries without validation or parameterization.
  • Restrict admin access to trusted users only, as exploitation requires authenticated admin privileges.
  • Apply any available patches or updates from the vendor that address this vulnerability.
Executive Summary

This vulnerability is a SQL Injection in V2Board versions up to 1.7.4. It occurs because the 'sort' parameter, which comes from user input, is passed directly to the database query method User::orderBy without any validation or sanitization.

An authenticated admin user can exploit this by sorting users based on any database column, including sensitive fields like passwords and tokens. This allows the attacker to disclose sensitive information by analyzing the order of the returned data.

Impact Analysis

The vulnerability can lead to information disclosure of sensitive user data such as passwords and authentication tokens. Since an authenticated admin can manipulate the sorting parameter to access these fields, it increases the risk of unauthorized data exposure.

This could compromise user accounts and overall system security, as attackers may gain insights into sensitive information that should be protected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart