CVE-2026-8133
SQL Injection in FilePress up to 2.2.0
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyx0814 | filepress | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8133 is a critical pre-authentication SQL injection vulnerability in the FilePress application. It arises because the 'order' parameter in certain API endpoints (notably in dzz/shares/admin.php and dzz/shares/ajax.php) is not properly validated or sanitized before being used directly in SQL ORDER BY clauses.
This lack of validation allows unauthenticated attackers to inject arbitrary SQL commands by manipulating the 'order' parameter in GET requests. Exploiting this vulnerability requires creating multiple anonymous share records and bypassing certain application filters, enabling attackers to perform time-based blind SQL injection attacks.
Successful exploitation can lead to extraction of sensitive data such as administrator credentials (username, password hash, and salt) and potentially full database compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-8133 is a critical pre-authentication SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data, including administrator credentials, from the database. Successful exploitation can lead to full database compromise, exposing user records, configuration data, and attachment paths.
Such unauthorized access and data exposure can lead to violations of common data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.
Failure to remediate this vulnerability could result in non-compliance due to potential data breaches, unauthorized data disclosure, and lack of adequate security controls.
Applying the recommended patch and security measures (such as whitelisting parameters and adding authentication) is essential to maintain compliance with these standards.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the FilePress database.
- Attackers can extract administrator credentials such as usernames, password hashes, and salts.
- Full database compromise is possible, allowing attackers to retrieve user records, configuration details, and file attachment paths.
- With stolen admin credentials, attackers can log into the backend panel and potentially execute remote code by installing malicious plugins.
Overall, this can lead to complete loss of data confidentiality, integrity, and availability within the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'order' parameter in GET requests to the Shares Filelist API endpoints, specifically in requests to dzz/shares/admin.php or dzz/shares/ajax.php. An unauthenticated attacker can inject SQL commands by manipulating this parameter.
Detection involves sending crafted HTTP GET requests with different 'order' parameter values to observe if SQL injection is possible. For example, testing with values other than 'asc' or 'desc' and checking for SQL errors or time delays can indicate vulnerability.
Commands to test might include using curl or similar tools to send requests like:
- curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=asc"
- curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=desc"
- curl "http://target/index.php?mod=shares&op=ajax&do=filelist&order=asc;SLEEP(5)--" (to test for time-based SQL injection)
Additionally, creating multiple anonymous share records via the shareAddSubmit endpoint and then performing time-based blind SQL injection tests can confirm exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch that enforces strict validation of the 'order' parameter, allowing only 'asc' or 'desc' values. This patch normalizes the parameter to lowercase and uses strict type comparison to prevent SQL injection.
Other recommended mitigations include:
- Add authentication requirements to the filelist API and shareAddSubmit endpoints to prevent unauthenticated access.
- Restrict or disable the creation of anonymous share records (uid=0) via unauthenticated requests.
- Monitor and block suspicious requests that attempt to manipulate the 'order' parameter or exploit SQL injection.
Applying the patch identified by commit e20ec58414103f781858f2951d178e19b1736664 is critical to remediate this issue.