CVE-2026-51946
Received Received - Intake

SQL Injection in GoAdminGroup GoAdmin

Vulnerability report for CVE-2026-51946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: MITRE

Description

SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the the __sort_type URL parameter on all /admin/info/{table} endpoints

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
goadmingroup goadmin to 1.2.26 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in GoAdminGroup GoAdmin allows attackers to execute arbitrary code and exfiltrate sensitive information such as user credentials from the database.

This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in violations of these standards due to the compromise of confidentiality and integrity of sensitive data.

Executive Summary

CVE-2026-51946 is a SQL Injection vulnerability in the GoAdmin framework, specifically in the __sort_type URL parameter used on all /admin/info/{table} endpoints.

The vulnerability arises because the __sort_type parameter is not properly validated before being interpolated into SQL queries using fmt.Sprintf. Although there is validation logic, the sanitized value is not stored, allowing the original unsanitized input to be used in query construction.

This flaw allows attackers to perform both time-based and error-based SQL injection attacks, enabling them to execute arbitrary code and extract sensitive information such as user credentials from the database.

Additionally, the lack of output encoding on this parameter results in a reflected Cross-Site Scripting (XSS) vulnerability.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of arbitrary code on the affected system.

Attackers can exploit the SQL injection to extract sensitive information such as user credentials from the database.

The reflected XSS vulnerability can also be exploited to execute malicious scripts in the context of users' browsers, potentially leading to session hijacking or other attacks.

Overall, this can lead to data breaches, loss of data confidentiality, and compromise of system integrity.

Detection Guidance

The vulnerability can be detected by testing the __sort_type URL parameter on the /admin/info/{table} endpoints for SQL injection. Specifically, sending crafted payloads that exploit SQL injection techniques such as time-based or error-based injections can reveal the vulnerability.

For example, you can use curl or similar HTTP clients to send requests with malicious payloads in the __sort_type parameter and observe the responses for errors or delays indicative of SQL injection.

  • curl -i 'http://target/admin/info/users?__sort_type=1 OR 1=1--'
  • curl -i 'http://target/admin/info/users?__sort_type=1; WAITFOR DELAY '0:0:5'--'

These commands attempt to trigger error-based or time-based SQL injection responses, which can help detect the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/info/{table} endpoints to trusted users only, such as by implementing IP whitelisting or strong authentication controls.

Additionally, avoid exposing the vulnerable __sort_type parameter to untrusted users and monitor logs for suspicious requests targeting this parameter.

Ultimately, updating to a patched version of GoAdmin that properly sanitizes and validates the __sort_type parameter before using it in SQL queries is necessary to fully remediate the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart