CVE-2026-38581

Deferred Deferred - Pending Action

SQL Injection in Damasac Thaipalliative LTE

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: MITRE

Description

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-11

Last Modified

2026-06-11

Generated

2026-06-11

AI Q&A

2026-06-11

EPSS Evaluated

N/A

NVD

CVE-2026-38581

EUVD

EUVD-2026-36241

Affected Vendors & Products

Vendor	Product	Version / Range
damasac	thaipalliative_lte	From 1.0 (inc) to 3.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-38581 is a critical SQL Injection vulnerability in the damasac thaipalliative_lte software, affecting versions up to 3.0. It exists in the /substudy/ezform.php file where two URL parameters, idFormMain and id, are directly concatenated into SQL queries without proper sanitization or use of parameterized statements.

This improper handling allows remote attackers to inject arbitrary SQL commands by manipulating these parameters, potentially compromising the database.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to manipulate SQL queries, which can lead to several severe impacts.

Extraction of sensitive database contents, such as patient records.
Bypassing authentication mechanisms.
Reading server files.
Writing malicious files like webshells to the server.

Additionally, error messages are exposed to users, which can aid attackers in exploiting the vulnerability further.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the /substudy/ezform.php endpoint for suspicious usage of the idFormMain and id parameters, which are vulnerable to SQL injection.

You can use network traffic inspection tools or web application firewalls to look for SQL injection patterns in these parameters.

Example commands to detect potential exploitation attempts include using curl or wget to test injection payloads, or using grep to search web server logs for suspicious parameter values.

grep 'idFormMain=' /var/log/apache2/access.log | grep -E "(\' OR 1=1|\'--|\' #)"
curl -G 'http://target/substudy/ezform.php' --data-urlencode "idFormMain=1' OR '1'='1"
Use web application scanners like sqlmap targeting the parameters idFormMain and id to automate detection.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and parameters, disabling error message exposure to users, and applying least privilege to the database user.

Since no patch is currently available, you should implement input validation and sanitization on the idFormMain and id parameters to prevent SQL injection.

Additionally, monitor logs for suspicious activity and consider deploying a web application firewall (WAF) to block malicious requests targeting these parameters.

Restrict access to /substudy/ezform.php to trusted IPs if possible.
Disable detailed SQL error messages in production environments.
Apply least privilege to the MySQL user account used by the application.
Plan to update the code to use parameterized prepared statements instead of direct concatenation of user input.

Compliance Impact

This SQL Injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially extracting sensitive database contents such as patient records.

Exposure of sensitive patient data due to this vulnerability could lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health information.

The vulnerability also exposes error messages to users, which can aid attackers and further compromise system security, undermining compliance with security best practices required by these standards.

Remediation steps such as using parameterized queries, removing error exposure, and applying least privilege principles are necessary to mitigate risks and help maintain compliance.

Hi! I’m here to help you understand CVE-2026-38581. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-38581

SQL Injection in Damasac Thaipalliative LTE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart