CVE-2026-2247
Description
SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.
In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Clickedu SaaS report generation allows authenticated attackers to access confidential database information via a non-expiring session token and malicious payload in the URL.
Vulnerability
CVE-2026-2247 is a SQL injection vulnerability in Clickedu's SaaS platform, specifically in the report generation feature. The root cause lies in a non-expiring session token embedded in the URL generated after downloading a student's report card from the 'Day-to-day' section of the mobile application. The id_alu parameter does not properly sanitize input, allowing unusual characters to be appended, leading to boolean-based blind and time-based blind SQL injection [1].
Exploitation
An authenticated remote attacker can exploit this by crafting a malicious payload appended to the id_alu parameter in the PDF download URL. The session token remains valid for days after generation, enabling repeated exploitation without re-authentication. The attack is performed from the mobile application interface and does not require additional privileges beyond standard user authentication [1].
Impact
Successful exploitation allows the attacker to exfiltrate confidential information from the database, including sensitive educational management data. The CVSS v4.0 base score of 8.3 reflects high impact on confidentiality for both the vulnerable system and subsequent environments, with no impact on integrity or availability [1].
Mitigation
The Clickedu team has fixed the vulnerability in their integration as of January 26, 2026. Users are advised to ensure their SaaS platform is updated to the latest version to mitigate the risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.