VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-38930

CVE-2026-38930

Description

OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authentication bypass vulnerability in RapidCMS v1.3.1 allows unauthenticated attackers to gain unauthorized access via crafted SQL injection in the name cookie parameter.

Vulnerability

RapidCMS v1.3.1 contains an authentication bypass vulnerability in the /template/default/menu.php component. The application uses cookies named name and user for authentication. The name cookie parameter is directly incorporated into an SQL query without proper sanitization, allowing injection of crafted SQL payloads. The vulnerability is triggered by sending a specially crafted HTTP cookie request containing a SQL injection payload in the name cookie [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by first registering a legitimate user account and logging in to obtain valid cookie values. Using browser developer tools, the attacker observes the user and name cookies. The attacker then modifies the user cookie to a calculated value based on the application's internal encode() function, and sets the name cookie to a SQL injection payload such as test" and 0 union select "test"#. After refreshing the page, the manipulated cookies cause the authentication query to return a different result, thereby bypassing authentication [1].

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to the application. The attacker can then perform actions as an authenticated user, potentially including viewing, modifying, or deleting content managed by RapidCMS. The exact scope of unauthorized access depends on the privileges of the user whose session is impersonated, but the vulnerability effectively undermines access control [1].

Mitigation

As of the publication date, no patch has been released by OpenRapid. The vendor has not announced a fix or workaround. Users are advised to monitor the official vendor repository for updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].

References
  1. CVE-2026-38930 | MOwORN's blog

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenRapid/Rapidcmsinferred2 versions
    = 1.3.1+ 1 more
    • (no CPE)range: = 1.3.1
    • (no CPE)range: =1.3.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization on the `name` cookie parameter allows SQL injection in `/template/default/menu.php`."

Attack vector

An unauthenticated attacker sends a crafted HTTP request containing two cookies: `name` and `user` [ref_id=1]. The `name` cookie carries a SQL injection payload (e.g., `test" and 0 union select "test"#`) that manipulates the database query used for authentication [ref_id=1]. The `user` cookie is set to a value computed by the application's `encode()` function that matches the injected data, allowing the attacker to bypass authentication and gain unauthorized access [ref_id=1].

Affected code

The vulnerable component is `/template/default/menu.php` in RapidCMS v1.3.1 [ref_id=1]. The `$_COOKIE["name"]` parameter is used directly in a SQL query without sanitization, and the application's internal `encode()` logic computes a matching `user` cookie value from the injected data [ref_id=1].

What the fix does

No patch is published in the provided bundle. The advisory [ref_id=1] identifies that the root cause is the lack of input sanitization on the `$_COOKIE["name"]` parameter in `/template/default/menu.php`. The remediation would require properly escaping or parameterizing the SQL query that uses the cookie value, and validating that the cookie value matches expected formats before it is used in database operations [ref_id=1].

Preconditions

  • networkThe attacker must be able to send HTTP requests to the RapidCMS application
  • inputThe attacker must register an arbitrary user and log in to obtain the application's cookie format and encode() logic

Reproduction

1. Register an arbitrary user and log in to the website. 2. Open Developer Tools (F12), navigate to the Application/Storage tab, and observe the `user` and `name` cookies. 3. Modify the `user` cookie value to `dtGeVsztdCIgYW5kIDAgdW5pb24gc2VsZWN0ICJ0ZXN0IiMO0O0O`. 4. Modify the `name` cookie value to `test" and 0 union select "test"#`. 5. Refresh the website — the authentication bypass is triggered [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.