CVE-2026-42474
SQL Injection in MixPHP Framework
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mixphp | framework | From 2.0.0 (inc) to 2.2.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an SQL injection in the MixPHP Framework 2.x through 2.2.17 via a crafted `data` array to the data function in BuildHelper.php.
To detect this vulnerability on your system or network, you can attempt to identify if the affected versions of MixPHP Framework are in use and test for SQL injection by sending crafted payloads targeting the data parameter used in SQL queries.
Since the vulnerability involves the `data` function in BuildHelper.php, which constructs SQL SET clauses, you can try injecting SQL syntax into parameters that are passed to this function and observe if the application behaves unexpectedly or returns SQL errors.
- Use tools like sqlmap to test endpoints that accept data arrays or parameters related to database updates or inserts.
- Example sqlmap command: sqlmap -u "http://targetsite.com/vulnerable_endpoint" --data="data[key]=value" --risk=3 --level=5
- Manually test by sending HTTP requests with crafted payloads in the data array to see if SQL errors or unexpected behavior occur.
- Check your web server or application logs for SQL errors or suspicious query patterns related to the data function.
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in the MixPHP Framework versions 2.x through 2.2.17. It occurs when a crafted 'data' array is passed to the data function in the BuildHelper.php file, potentially allowing an attacker to manipulate database queries.
How can this vulnerability impact me? :
An attacker exploiting this SQL injection vulnerability could execute arbitrary SQL commands on the database. This may lead to unauthorized data access, data modification, or deletion, potentially compromising the integrity and confidentiality of your data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 could potentially lead to unauthorized access or manipulation of sensitive data stored in databases.
Such unauthorized access or data breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and health information.
Failure to prevent SQL injection attacks may result in exposure of confidential data, leading to violations of data protection requirements and possible legal and financial consequences.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is an SQL injection in MixPHP Framework versions 2.x through 2.2.17 via crafted input to the data function in BuildHelper.php.
To mitigate this vulnerability, you should upgrade to a version of MixPHP Framework that has fixed this issue or apply patches if available.
Additionally, reviewing the BuildHelper.php code to ensure proper parameter binding and input validation is enforced can help prevent SQL injection.