CVE-2026-42550
FlightPHP · core
FlightPHP core before 3.18.1 is vulnerable to SQL injection, allowing an authenticated attacker to execute arbitrary SQL commands via improper neutralization of special elements.
Executive summary
A SQL injection vulnerability in the FlightPHP micro-framework allows authenticated attackers to execute arbitrary database commands, posing a high risk of data compromise.
Vulnerability
The vulnerability is a SQL Injection (CWE-89) arising from improper neutralization of special elements in database queries. The CVSS vector indicates that while the attack is network-based, it requires low-level privileges (authenticated) to trigger.
Business impact
The ability to inject arbitrary SQL commands can lead to unauthorized data access, modification, or deletion within the underlying database. Given the CVSS score of 8.8, this represents a significant risk to the integrity and confidentiality of sensitive business information stored within applications utilizing this framework.
Remediation
Immediate Action: Update the FlightPHP core package to version 3.18.1 or later via your package manager.
Proactive Monitoring: Monitor database query logs for anomalous or malformed SQL syntax, particularly those originating from application-level service accounts.
Compensating Controls: Implement a Web Application Firewall (WAF) with robust SQL injection filtering rules to inspect incoming traffic for malicious patterns.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Organizations using the FlightPHP framework should prioritize the update to version 3.18.1. Given the existence of a proof-of-concept, prompt remediation is required to prevent potential exploitation by malicious actors seeking to leverage database-level vulnerabilities.