A critical SQL injection vulnerability in thaipalliative_lte allows remote attackers to execute arbitrary SQL commands, risking total database compromise.

The application fails to sanitize user-supplied input for the idFormMain and id parameters before concatenating them into database queries, enabling unauthenticated SQL injection.

With a CVSS score of 9.8, this flaw allows unauthorized actors to read, modify, or delete sensitive data within the backend database. Such an exploit can lead to full database takeover, exposure of PII, and significant operational disruption.

Immediate Action: Review vendor communication for available patches or updates for thaipalliative_lte and apply them as soon as they are released.

Proactive Monitoring: Monitor database query logs for suspicious patterns, such as UNION-based SQL injections or attempts to access administrative tables.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter malicious SQL syntax from incoming HTTP requests targeting ezform.php.

Public Exploit Available: False

SQL injection remains a primary vector for data theft. Organizations currently running affected versions of thaipalliative_lte must restrict access to the application until a patch is applied, or implement robust WAF rules to block exploitation attempts.