CVE-2026-52673

Received Received - Intake

SQL Injection in Cboard Prior to Version 0.4.2

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-23

Last Modified

2026-06-23

Generated

2026-06-23

AI Q&A

2026-06-23

EPSS Evaluated

N/A

NVD

CVE-2026-52673

EUVD

EUVD-2026-38472

Affected Vendors & Products

Vendor	Product	Version / Range
chuguotech	cboard	to 0.4.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-52673 is a SQL Injection vulnerability in CBoard versions 0.4.2 and earlier. It exists in the /cboard/dashboard/getDimensionValues.do endpoint, where user-supplied SQL or column name expressions are directly concatenated into SQL statements without proper input validation or parameterized queries.

This flaw allows an authenticated attacker to inject malicious SQL code, which can manipulate the database queries executed by the application.

For example, an attacker can use specially crafted inputs like "A*2" in the columnName parameter to execute arbitrary SQL expressions, potentially extracting sensitive data or bypassing logical conditions.

Compliance Impact

The SQL Injection vulnerability in CBoard versions 0.4.2 and earlier allows attackers to execute arbitrary SQL queries and potentially extract sensitive data from the backend database.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary SQL queries on the backend database, which may lead to unauthorized access to sensitive data.

Attackers could extract confidential information, manipulate or delete data, and potentially escalate their privileges within the application.

Such impacts can compromise the integrity, confidentiality, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by testing the /cboard/dashboard/getDimensionValues.do endpoint for SQL injection flaws, specifically by injecting SQL expressions into the columnName parameter.

A simple detection method is to send a crafted request with a SQL expression such as "A*2" in the columnName parameter and observe if the response returns the computed result instead of treating it as a string.

Use curl or similar tools to send a request like: curl -X POST -d "columnName=A*2" https://[target]/cboard/dashboard/getDimensionValues.do
If the response contains the computed result (e.g., 18) rather than an error or the literal string, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, such as by implementing strong authentication and network-level access controls.

Additionally, avoid using vulnerable versions of CBoard (0.4.2 and earlier) and upgrade to a version where this vulnerability is fixed once available.

As a temporary measure, monitor and block suspicious requests targeting the /cboard/dashboard/getDimensionValues.do endpoint that contain unusual SQL expressions in parameters.

Hi! I’m here to help you understand CVE-2026-52673. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-52673

SQL Injection in Cboard Prior to Version 0.4.2

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart