CVE-2026-40455

Received Received - Intake

SQL Injection in LMS Before Commit 4cb30a7

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: CERT.PL

Description

An SQL Injection vulnerability exists in LMS (LAN Management System) before commit 4cb30a7 within the "tarifflist.php" module due to insufficient sanitization of the POST "tg[]" parameter. The application directly concatenates user-supplied array values into an SQL query using "implode()", allowing authenticated attackers to perform Error-Based SQL injection and extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-18

Last Modified

2026-06-18

Generated

2026-06-19

AI Q&A

2026-06-18

EPSS Evaluated

N/A

NVD

CVE-2026-40455

EUVD

EUVD-2026-37874

Affected Vendors & Products

Vendor	Product	Version / Range
chilek	lms	to 4cb30a7 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Impact Analysis

This vulnerability can allow authenticated attackers to execute Error-Based SQL Injection attacks, which means they can manipulate the SQL queries executed by the application. As a result, attackers can extract sensitive information from the database, potentially compromising confidential data managed by the LMS.

Executive Summary

CVE-2026-40455 is an SQL Injection vulnerability in the LAN Management System (LMS) before commit 4cb30a7, specifically in the "tarifflist.php" module. The issue arises because the application does not properly sanitize the POST parameter "tg[]". It directly concatenates user-supplied array values into an SQL query using the implode() function. This allows authenticated attackers to perform Error-Based SQL Injection attacks and extract sensitive information from the database.

Compliance Impact

The SQL Injection vulnerability in LMS allows authenticated attackers to extract sensitive database information. This exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to access sensitive information through the vulnerability, organizations using affected LMS versions risk violating confidentiality and data integrity requirements mandated by these standards.

Detection Guidance

This vulnerability is an SQL Injection in the LMS application within the tarifflist.php module, specifically related to the POST parameter tg[]. Detection involves monitoring for unusual or malicious SQL queries or attempts to exploit this parameter.

Since the vulnerability requires authenticated access and targets a specific POST parameter, detection can include inspecting web server logs for suspicious POST requests to tarifflist.php containing the tg[] parameter with unexpected or malformed input.

Example commands to detect potential exploitation attempts might include using tools like grep or log analysis to find suspicious POST requests:

grep -i 'POST.*tarifflist.php' /var/log/apache2/access.log | grep 'tg[]'
grep -r 'tg[]' /var/www/lms/modules/tarifflist.php

Additionally, using web application firewalls (WAF) or intrusion detection systems (IDS) configured to detect SQL injection patterns in POST parameters can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the LMS application to a version that includes the fix introduced in commit 4cb30a7, which adds input validation to sanitize the tg[] POST parameter.

This fix involves sanitizing the input by filtering the tg[] parameter to allow only integer values before using it in SQL queries, preventing SQL injection.

If immediate updating is not possible, consider implementing input validation or filtering at the web server or application firewall level to block malicious input targeting the tg[] parameter.

Also, restrict access to the LMS application to trusted authenticated users only, as the vulnerability requires authentication.

Hi! I’m here to help you understand CVE-2026-40455. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-40455

SQL Injection in LMS Before Commit 4cb30a7

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart