CVE-2026-38581
Description
SQL injection in damasac/thaipalliative_lte ≤3.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via idFormMain or id parameters in /substudy/ezform.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in damasac/thaipalliative_lte ≤3.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via idFormMain or id parameters in /substudy/ezform.php.
Vulnerability
An SQL injection vulnerability exists in damasac/thaipalliative_lte versions 1.0 through 3.0. The file /substudy/ezform.php contains two injection points: the idFormMain parameter on line 14 and the id parameter on line 49 [1][2]. Both parameters are concatenated directly into MySQL queries without sanitization or parameterized statements, allowing an attacker to manipulate query logic [1][2].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted GET request to /substudy/ezform.php with a malicious payload in either the idFormMain or id parameter [1]. Error-based, UNION-based, and blind injection techniques are possible due to the presence of mysqli_error() output and the lack of input validation [1]. No special privileges or prior interaction are required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands, leading to full database compromise [1]. This can result in unauthorized read, modification, or deletion of sensitive data, including potential privilege escalation within the application [1].
Mitigation
No official patch is available from the vendor [1]. As a workaround, implement input validation and parameterized queries for the affected parameters. If possible, restrict network access to the /substudy/ezform.php endpoint or disable the application until a fix is released [1].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of unsanitized user input (`$_GET["idFormMain"]` and `$_REQUEST["id"]`) into SQL query strings without parameterization or escaping."
Attack vector
An unauthenticated remote attacker sends crafted HTTP GET requests to `/substudy/ezform.php` with malicious payloads in the `idFormMain` or `id` parameter. The application concatenates these inputs directly into MySQL queries and exposes error output via `or die(mysqli_error())`, enabling error-based, UNION-based, or boolean-blind SQL injection [ref_id=1]. No authentication or special network position is required (CVSS 9.8, AV:N/AC:L/PR:N/UI:N).
Affected code
The vulnerability resides in `/substudy/ezform.php` (commit 57b5763). Two injection points exist: line 14 concatenates `$_GET["idFormMain"]` directly into a SQL query, and line 49 concatenates `$_REQUEST["id"]` (assigned at line 32-33) into a second query. No sanitization, prepared statements, or `mysqli_real_escape_string()` calls are used at either point [ref_id=1].
What the fix does
The advisory states that no patch is available from the vendor [ref_id=1]. To remediate, the application must replace direct string concatenation with parameterized prepared statements (e.g., using `mysqli_prepare()` and `mysqli_stmt_bind_param()`) or at minimum apply `mysqli_real_escape_string()` to all user-supplied input before inclusion in SQL queries. Input validation and least-privilege database credentials should also be enforced.
Preconditions
- networkAttacker must be able to send HTTP requests to the vulnerable endpoint /substudy/ezform.php
- authNo authentication required
- configNo special configuration required
- inputAttacker controls the idFormMain or id query parameter
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.