CVE-2026-54222

Deferred Deferred - Pending Action

Blind SQL Injection in UBB.threads

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: CERT.PL

Description

UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries through time-based or boolean-based techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-18

Last Modified

2026-06-18

Generated

2026-06-19

AI Q&A

2026-06-18

EPSS Evaluated

N/A

NVD

CVE-2026-54222

EUVD

EUVD-2026-37885

Affected Vendors & Products

Vendor	Product	Version / Range
ubbt	ubb_threads	to 7.7.5 (inc)
ubbthreads	ubbthreads	From 7.7.5 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

UBB.threads is vulnerable to Blind SQL Injection, which means attackers who have access to the Members section in the Control Panel can manipulate database queries without directly seeing the results.

Due to insufficient input sanitization, attackers can use time-based or boolean-based techniques to extract sensitive information such as user credentials by interacting with the underlying database.

Impact Analysis

This vulnerability can allow attackers with certain access privileges to extract sensitive data from the database, including user credentials.

Such unauthorized access to sensitive information can lead to account compromise, data breaches, and further exploitation of the system.

Compliance Impact

The vulnerability allows attackers to extract sensitive information such as user credentials by exploiting a Blind SQL Injection flaw. This exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information.

Since attackers with access to the Members in Control Panel can manipulate the database, this could result in unauthorized access to personal data, potentially violating confidentiality and integrity requirements mandated by these standards.

Hi! I’m here to help you understand CVE-2026-54222. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-54222

Blind SQL Injection in UBB.threads

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart