CVE-2026-53690
Redeight · Redeight CMS
An SQL injection vulnerability in Redeight CMS allows unauthenticated remote attackers to execute arbitrary SQL commands via the "userEmail" parameter in the admin login endpoint.
Executive summary
Redeight CMS is susceptible to a critical SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary database commands and exfiltrate sensitive information.
Vulnerability
This is an SQL injection vulnerability located in the "/admin/index.php" login endpoint. An unauthenticated attacker can supply malicious input via the "userEmail" parameter, which is then processed by the database without proper sanitization.
Business impact
The ability for an unauthenticated attacker to inject SQL commands poses a severe risk to data confidentiality and integrity. With a CVSS score of 9.3, this vulnerability could allow unauthorized parties to extract administrative credentials, user data, or configuration details, potentially leading to a full system compromise and significant reputational damage.
Remediation
Immediate Action: Update Redeight CMS to the latest available version immediately to implement proper input sanitization and prepared SQL statements.
Proactive Monitoring: Review web server and database logs for anomalous input patterns or unexpected SQL syntax errors originating from the admin login endpoint.
Compensating Controls: Deploy a Web Application Firewall (WAF) with specific rules designed to detect and block SQL injection payloads targeting POST parameters.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the critical nature of this SQL injection flaw and the lack of authentication required for exploitation, immediate patching is required. Organizations should prioritize updating their CMS instances and ensure that database access logs are audited for any signs of unauthorized query execution.