CVE-2026-13529
Received Received - Intake

SQL Injection in YzmCMS up to 7.5

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13529
EUVD
EUVD-2026-40026

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yzmcms yzmcms 7.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection flaw found in YzmCMS version 7.5, specifically in the installation module via the siteurl parameter.

The issue arises because user input for the "Site URL" is only processed with the trim() function and then directly concatenated into an SQL UPDATE statement without proper sanitization or use of parameterized queries.

An attacker can exploit this by deleting the cache/install.lock file to re-enter the installation process, then inputting a crafted payload in the "Site Domain" field on the Site Configuration page.

This allows the attacker to inject malicious SQL commands, such as error-based techniques like updatexml, to extract sensitive database information including usernames, versions, and administrator credentials.

Impact Analysis

Exploiting this vulnerability can lead to serious impacts including data exfiltration, where sensitive information such as database contents and administrator credentials can be stolen.

Attackers may also achieve account takeover by obtaining administrative credentials.

Furthermore, it can lead to remote code execution (RCE) by modifying backend templates to inject PHP code, potentially allowing full control over the affected system.

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the installation module via the siteurl parameter during the installation process of YzmCMS v7.5.

To detect it, you can try to reproduce the issue by deleting the cache/install.lock file to re-enter the installation process, then navigate to the "Site Configuration" page and input a crafted SQL injection payload in the "Site Domain" field.

For example, you might use SQL injection payloads that leverage error-based techniques such as updatexml to extract database information.

Specific commands depend on your testing environment, but a common approach is to use curl or a web proxy tool to send HTTP POST requests with malicious siteurl parameters to the /application/install/index.php endpoint after resetting the installation state.

  • Delete the cache/install.lock file to reset installation: `rm cache/install.lock`
  • Send a crafted POST request with a SQL injection payload in the siteurl parameter, for example using curl:
  • `curl -X POST -d "siteurl=1' OR updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)#" http://target/application/install/index.php`

Observe the response for SQL error messages or extracted data indicating successful injection.

Mitigation Strategies

Immediate mitigation steps include preventing access to the installation module by ensuring the installation lock file (cache/install.lock) exists and cannot be deleted or bypassed.

Restrict access to the /application/install/index.php file via web server configuration or firewall rules to trusted administrators only.

Avoid exposing the installation process on production systems and ensure that the siteurl parameter is properly sanitized or disabled after installation.

Monitor logs for suspicious requests targeting the installation module and the siteurl parameter.

Since the vendor has not responded, consider applying custom patches or using web application firewalls (WAF) to block SQL injection payloads targeting this parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart