Critical severity9.8NVD Advisory· Published Apr 23, 2026· Updated Apr 29, 2026
CVE-2026-41460
CVE-2026-41460
Description
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*range: <=7.8.0
- (no CPE)range: <=7.8.0
Patches
Vulnerability mechanics
References
5- karmainsecurity.com/KIS-2026-08nvdExploitThird Party Advisory
- karmainsecurity.com/pocs/CVE-2026-41460.phpnvdExploit
- www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberallnvdThird Party Advisory
- socialengine.comnvdProduct
- seclists.org/fulldisclosure/2026/Apr/12nvd
News mentions
0No linked articles in our index yet.