CVE-2026-7783

Deferred Deferred - Pending Action

SQL Injection in Perfex CRM

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: VulDB

Description

A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-05

Last Modified

2026-05-05

Generated

2026-06-16

AI Q&A

2026-05-05

EPSS Evaluated

2026-06-14

NVD

CVE-2026-7783

EUVD

EUVD-2026-27155

Affected Vendors & Products

Vendor	Product	Version / Range
codecanyon	perfex_crm	to 3.4.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a flaw found in CodeCanyon Perfex CRM up to version 3.4.1. It affects the function AbstractKanban::applySortQuery located in the file application/services/AbstractKanban.php within the Admin Kanban Endpoint component. The flaw allows manipulation of an argument which leads to SQL injection. This means an attacker can remotely exploit this vulnerability to execute unauthorized SQL commands on the database.

Impact Analysis

The vulnerability can allow a remote attacker to perform SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of data within the affected system. This can compromise the confidentiality, integrity, and availability of the data managed by the Perfex CRM application.

Compliance Impact

This vulnerability allows an attacker to read the entire database, including sensitive client and project data, as well as bcrypt-wrapped password hashes. Such unauthorized access to personal and sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal data.

The exposure of sensitive data through SQL injection can result in non-compliance with these standards, potentially leading to legal penalties, loss of trust, and the requirement to notify affected individuals and authorities.

Detection Guidance

This vulnerability can be detected by testing the `sort_by` parameter in the kanban-related endpoints for blind time-based SQL injection. An attacker can inject SQL commands such as the SLEEP function to observe response delays, confirming the vulnerability.

A common detection method involves sending specially crafted requests to the affected endpoints and measuring response times to detect time-based SQL injection.

Use curl or similar tools to send requests with payloads like: ?sort_by=column_name,SLEEP(5)-- to the kanban endpoints (leads, proposals, estimates, tasks).
Example command: curl -i 'http://target/perfexcrm/admin/kanban/leads?sort_by=id,SLEEP(5)--'
Observe if the response time is significantly delayed (e.g., by 5 seconds), indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation involves applying a fix that whitelists sortable columns in the `applySortQuery` method and removing the unsafe usage of the `order_by` parameter to prevent direct injection.

Until a patch is applied, restrict access to the affected endpoints and monitor for suspicious activity, especially from staff accounts with minimal permissions.

Update Perfex CRM to a version where this vulnerability is fixed.
Implement input validation and sanitization on the `sort_by` parameter.
Limit staff account permissions and monitor logs for unusual queries or delays.

Hi! I’m here to help you understand CVE-2026-7783. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-7783

SQL Injection in Perfex CRM

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart