Vulnerability-Lookup

GHSA-XWQR-RCQG-22MR

Vulnerability from github – Published: 2026-05-06 21:35 – Updated: 2026-05-14 20:40

Summary

Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Details

Summary

SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys.

Affected code

flight/database/SimplePdo.php:

// insert (≈ 320-373)
$sql = sprintf(
    "INSERT INTO %s (%s) VALUES (%s)",
    $table,                            // raw concat
    implode(', ', $columns),           // raw array_keys($data)
    implode(', ', $placeholders)
);

// update (≈ 397-409)
$sets[] = "$column = ?";               // $column = user-controlled key
$sql = sprintf(
    "UPDATE %s SET %s WHERE %s",
    $table,                            // raw
    implode(', ', $sets),
    $where
);

// delete (≈ 427-429)
$sql = "DELETE FROM $table WHERE $where";

No identifier-quoting helper exists; neither $table nor the data keys are validated against a safe-identifier pattern.

Proof of concept

A controller does:

$db->insert('users', $request->data->getData());

The attacker sends the JSON body:

{"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}

Generated SQL:

INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)

After the -- comment, the effective statement INSERT INTO users (name, is_admin) VALUES (?, 1) binds the single placeholder 'attacker_injected', yielding a row with is_admin = 1.

Reproduced live on an in-memory sqlite database (testproj/sqli_live2.php):

id=1  name=alice              is_admin=0
id=2  name=attacker_injected  is_admin=1   <-- injected insert

UPDATE injection via the $where parameter was also reproduced: $db->update('users', ['is_admin' => 1], "id = 1 OR 1=1") flips admin on every row.

Impact

Privilege escalation on any signup / register endpoint that forwards request data to insert() (attacker creates an administrative account in a single request).
Arbitrary column write through update() keys.
Data destruction and exfiltration through the $where parameter (DELETE FROM users WHERE 1=1, UNION-based exfil, etc.).

Patch (fixed in `3.18.1`, commit `b8dd23a`)

A new requireSafeIdentifier() helper validates table names and column names against ^[A-Za-z_][A-Za-z0-9_]*$ before they are interpolated into the SQL string. The $where parameter remains raw SQL as documented — parameterized values passed alongside it continue to be bound safely.

Credit

Discovered by @Rootingg.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flightphp/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:35:55Z",
    "nvd_published_at": "2026-05-13T20:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`SimplePdo::insert()`, `SimplePdo::update()`, and `SimplePdo::delete()` build SQL statements by concatenating the `$table` argument and the **keys** of the `$data` array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers \u2014 a common and documented pattern, e.g. `$db-\u003einsert(\u0027users\u0027, $request-\u003edata-\u003egetData())` \u2014 an attacker can inject arbitrary SQL by crafting malicious array keys.\n\n### Affected code\n`flight/database/SimplePdo.php`:\n\n```php\n// insert (\u2248 320-373)\n$sql = sprintf(\n    \"INSERT INTO %s (%s) VALUES (%s)\",\n    $table,                            // raw concat\n    implode(\u0027, \u0027, $columns),           // raw array_keys($data)\n    implode(\u0027, \u0027, $placeholders)\n);\n\n// update (\u2248 397-409)\n$sets[] = \"$column = ?\";               // $column = user-controlled key\n$sql = sprintf(\n    \"UPDATE %s SET %s WHERE %s\",\n    $table,                            // raw\n    implode(\u0027, \u0027, $sets),\n    $where\n);\n\n// delete (\u2248 427-429)\n$sql = \"DELETE FROM $table WHERE $where\";\n```\n\nNo identifier-quoting helper exists; neither `$table` nor the data keys are validated against a safe-identifier pattern.\n\n### Proof of concept\nA controller does:\n```php\n$db-\u003einsert(\u0027users\u0027, $request-\u003edata-\u003egetData());\n```\n\nThe attacker sends the JSON body:\n```json\n{\"name, is_admin) VALUES (?, 1);-- \": \"attacker_injected\"}\n```\n\nGenerated SQL:\n```sql\nINSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)\n```\n\nAfter the `--` comment, the effective statement `INSERT INTO users (name, is_admin) VALUES (?, 1)` binds the single placeholder `\u0027attacker_injected\u0027`, yielding a row with `is_admin = 1`.\n\nReproduced live on an in-memory sqlite database (`testproj/sqli_live2.php`):\n\n```\nid=1  name=alice              is_admin=0\nid=2  name=attacker_injected  is_admin=1   \u003c-- injected insert\n```\n\n`UPDATE` injection via the `$where` parameter was also reproduced: `$db-\u003eupdate(\u0027users\u0027, [\u0027is_admin\u0027 =\u003e 1], \"id = 1 OR 1=1\")` flips admin on every row.\n\n### Impact\n- **Privilege escalation** on any signup / register endpoint that forwards request data to `insert()` (attacker creates an administrative account in a single request).\n- Arbitrary column write through `update()` keys.\n- Data destruction and exfiltration through the `$where` parameter (`DELETE FROM users WHERE 1=1`, UNION-based exfil, etc.).\n\n### Patch (fixed in `3.18.1`, commit `b8dd23a`)\nA new `requireSafeIdentifier()` helper validates table names and column names against `^[A-Za-z_][A-Za-z0-9_]*$` before they are interpolated into the SQL string. The `$where` parameter remains raw SQL as documented \u2014 parameterized values passed alongside it continue to be bound safely.\n\n### Credit\nDiscovered by **@Rootingg**.",
  "id": "GHSA-xwqr-rcqg-22mr",
  "modified": "2026-05-14T20:40:00Z",
  "published": "2026-05-06T21:35:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flightphp/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/releases/tag/v3.18.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete"
}

CVE-2026-42550 (GCVE-0-2026-42550)

Vulnerability from cvelistv5 – Published: 2026-05-13 19:22 – Updated: 2026-05-14 15:44

Title

Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Summary

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/flightphp/core/security/adviso…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
flightphp	core	Affected: < 3.18.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42550",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:43:39.063275Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:44:19.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "core",
          "vendor": "flightphp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.18.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers \u2014 a common and documented pattern, e.g. $db-\u003einsert(\u0027users\u0027, $request-\u003edata-\u003egetData()) \u2014 an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T19:22:53.297Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr"
        }
      ],
      "source": {
        "advisory": "GHSA-xwqr-rcqg-22mr",
        "discovery": "UNKNOWN"
      },
      "title": "Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42550",
    "datePublished": "2026-05-13T19:22:53.297Z",
    "dateReserved": "2026-04-28T16:56:50.191Z",
    "dateUpdated": "2026-05-14T15:44:19.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-XWQR-RCQG-22MR

Summary

Affected code

Proof of concept

Impact

Patch (fixed in 3.18.1, commit b8dd23a)

Credit

CVE-2026-42550 (GCVE-0-2026-42550)

Tags

Sightings

Nomenclature

Patch (fixed in `3.18.1`, commit `b8dd23a`)