Critical severityNVD Advisory· Published Oct 30, 2019· Updated Aug 4, 2024

CVE-2019-10762

Description

columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in Medoo's columnQuote function due to improper escaping, allowing unauthenticated remote attackers to execute arbitrary SQL queries.

The vulnerability is a SQL injection flaw in the columnQuote function of Medoo, a lightweight PHP database framework. The function does not properly escape user-supplied input when constructing column names in SQL queries, enabling an attacker to inject arbitrary SQL commands [1]. This affects all Medoo versions prior to 1.7.5.

Exploitation is straightforward: an attacker can provide crafted input as a column name parameter without requiring authentication. The existing validation uses a regex that is insufficient to prevent injection, allowing malicious strings to pass through and be incorporated into SQL statements [3].

Successful exploitation could allow an attacker to read, modify, or delete arbitrary data from the database. Depending on the database system and privileges, this might also lead to remote code execution or full server compromise.

A fix was released in Medoo version 1.7.5, which adds stricter validation in the columnQuote method to reject invalid column names [3]. Users are advised to upgrade immediately to mitigate the risk.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
catfan/medooPackagist	< 1.7.5	1.7.5

Affected products

medoo/medoodescription
catfan/Medoollm-create
Range: <1.7.5
ghsa-coords
pkg:composer/catfan/medoo
Range: < 1.7.5

Patches

659864b39396

[fix] Fix columnQuote for security issue reported by Snyk

https://github.com/catfan/MedooAngel LaiOct 11, 2019via ghsa

commit

1 file changed · +5 −0

src/Medoo.php+5 −0 modified

@@ -500,6 +500,11 @@ protected function typeMap($value, $type)
 
 	protected function columnQuote($string)
 	{
+		if (!preg_match('/^[a-zA-Z0-9]+(\.?[a-zA-Z0-9]+)?$/i', $string))
+		{
+			throw new InvalidArgumentException("Incorrect column name \"$string\"");
+		}
+
 		if (strpos($string, '.') !== false)
 		{
 			return '"' . $this->prefix . str_replace('.', '"."', $string) . '"';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q9p4-qfc8-fvppghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10762ghsaADVISORY
github.com/catfan/Medoo/commit/659864b393961bf224bba1efc03b7dcbed7de533ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-PHP-CATFANMEDOO-474562ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000