CVE-2026-49491

Vulnerability

Pixa Bank 2.0 contains an SQL injection vulnerability within the agence-ajax.php endpoint. This vulnerability is triggered by injecting SQL code into the rib parameter. The affected versions are not explicitly stated, but the vulnerability is present in Pixa Bank 2.0 [2].

Exploitation

Unauthenticated attackers can exploit this vulnerability by sending POST requests to the agence-ajax.php endpoint. These requests must include UNION-based SQL payloads within the rib parameter to successfully inject malicious SQL code and extract data [2].

Impact

Successful exploitation allows attackers to extract sensitive user information from the database. This includes details such as user names, email addresses, and phone numbers. The scope of the compromise is limited to the data accessible via the SQL injection, and no elevated privileges are gained beyond data retrieval [2].

Mitigation

No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult vendor advisories for updates on mitigation strategies or patches. It is not listed on the KEV catalog, and its End-of-Life status is unknown [1, 2].