CVE-2026-57739
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-57739, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
acymailing_newsletter_team acymailing_smtp_newsletter to 10.11.0 (inc)
acymailing acymailing_smtp_newsletter From 10.0.0 (inc) to 10.11.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57739 is a critical SQL Injection vulnerability found in the WordPress AcyMailing SMTP Newsletter Plugin, specifically in versions 10.11.0 and earlier.

This vulnerability allows attackers to inject malicious SQL commands into the database queries executed by the plugin without requiring any authentication.

Because it is a Blind SQL Injection, attackers can interact with the website's database in a way that may not immediately reveal data but can be used to extract sensitive information over time.

Impact Analysis

This vulnerability poses a critical risk with a CVSS score of 9.3, meaning it can have a severe impact on affected systems.

An attacker exploiting this flaw could directly interact with the website's database, potentially stealing sensitive information.

Additionally, the vulnerability could lead to partial denial of service due to its impact on availability.

Detection Guidance

The vulnerability is a Blind SQL Injection in the AcyMailing SMTP Newsletter Plugin versions up to 10.11.0. Detection typically involves monitoring for unusual or suspicious SQL query patterns or injection attempts targeting the plugin's endpoints.

While no specific commands are provided in the resources, common detection methods include using web application firewalls (WAF) with rules to detect SQL injection payloads, or running security scanners that test for SQL injection vulnerabilities against the plugin.

Administrators can also review web server logs for suspicious requests containing SQL injection payloads or unusual parameter values targeting the AcyMailing plugin.

Mitigation Strategies

The immediate recommended step is to update the AcyMailing SMTP Newsletter Plugin to version 10.11.1 or later, where the vulnerability has been patched.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attack attempts targeting this SQL Injection vulnerability.

Additionally, applying a web application firewall (WAF) with SQL injection detection rules can help prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart