📄 Pragyan CMS 3.0 Blind SQL Injection_PACKETSTORM:214738

Description

A critical blind SQL injection vulnerability exists in Pragyan CMS version 3.0 and earlier, affecting the main index endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the...

Visit Original Source

Basic Information

ID PACKETSTORM:214738

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions Pragyan CMS 3.0 - Blind SQL Injection
Advisory ID: RO-14-001
Severity: Critical
Vendor: Delta
Product: Pragyan CMS
Version: 3

Overview #

A critical Blind SQL Injection vulnerability exists in Pragyan CMS version 3.0 and earlier, affecting the main index endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database.

Vulnerability Details #

Affected Versions: 3.0 and earlier

Location: Main index endpoint

Affected Parameter: page

Root Cause: The vulnerability exists due to insufficient input validation on the page parameter. User-supplied input is directly concatenated into an SQL query without proper sanitization or parameterized queries.

Exploitation Requirements #

No authentication required
Direct access to the main index endpoint

Impact #

Remote attackers can exploit this vulnerability to:

Extract sensitive data from the database
Bypass authentication mechanisms
Modify or delete database content
Potentially gain administrative access to the CMS

Proof of Concept #

GET /?page='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' HTTP/1.1
Host: target.com

Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.

Solution #

Upgrade to a patched version of Pragyan CMS. Apply the vendor patch that includes proper input sanitization for the affected parameter.

References #

Invicti Advisory NS-14-001
GitHub Patch

Timeline:

[2014-01-01] - Discovered

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:29:10",
    "description": "A critical blind SQL injection vulnerability exists in Pragyan CMS version 3.0 and earlier, affecting the main index endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pragyan CMS 3.0 Blind SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214738",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Pragyan CMS 3.0 - Blind SQL Injection\n    Advisory ID: RO-14-001\n    Severity: Critical\n    Vendor: Delta\n    Product: Pragyan CMS\n    Version: 3\n    \n    \n    Overview #\n    \n    A critical Blind SQL Injection vulnerability exists in Pragyan CMS version 3.0 and earlier, affecting the main index endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: 3.0 and earlier\n    \n    Location: Main index endpoint\n    \n    Affected Parameter: page\n    \n    Root Cause: The vulnerability exists due to insufficient input validation on the page parameter. User-supplied input is directly concatenated into an SQL query without proper sanitization or parameterized queries.\n    \n    \n    Exploitation Requirements #\n    \n        No authentication required\n        Direct access to the main index endpoint\n    \n    Impact #\n    \n    Remote attackers can exploit this vulnerability to:\n    \n        Extract sensitive data from the database\n        Bypass authentication mechanisms\n        Modify or delete database content\n        Potentially gain administrative access to the CMS\n    \n    Proof of Concept #\n    \n    GET /?page='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' HTTP/1.1\n    Host: target.com\n    \n    Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.\n    \n    \n    Solution #\n    \n    Upgrade to a patched version of Pragyan CMS. Apply the vendor patch that includes proper input sanitization for the affected parameter.\n    \n    \n    References #\n    \n        Invicti Advisory NS-14-001\n        GitHub Patch\n    \n    Timeline:\n    \n        [2014-01-01] - Discovered\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214738",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214738/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply