CVE-2026-41460
SocialEngine · Multiple Products
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the activity module, allowing unauthenticated attackers to gain unauthorized access to the administrative panel.
Executive summary
An unauthenticated SQL injection vulnerability in SocialEngine versions 7.8.0 and prior allows attackers to compromise administrative accounts and potentially execute remote code.
Vulnerability
This is a SQL injection vulnerability within the /activity/index/get-memberall endpoint, where insufficient sanitization of the text parameter allows unauthenticated remote attackers to execute arbitrary SQL queries against the database.
Business impact
Successful exploitation allows an attacker to bypass authentication, extract sensitive database information, reset administrator credentials, and potentially gain access to the Packages Manager. With a CVSS score of 9.8, this vulnerability poses a critical risk to data integrity and system availability, as the resulting administrative access could lead to full remote code execution.
Remediation
Immediate Action: Update all SocialEngine instances to the latest version as provided by the vendor to ensure the SQL injection vulnerability is patched.
Proactive Monitoring: Review database query logs for suspicious SQL syntax and monitor access logs for unauthorized attempts to reach the Admin Panel or the get-memberall endpoint.
Compensating Controls: Utilize a Web Application Firewall (WAF) configured with rules to detect and block common SQL injection patterns in HTTP requests.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability is highly critical due to the potential for full administrative takeover. Security teams should prioritize patching to the latest version immediately, as the attack vector is accessible to unauthenticated users and the impact is severe.