📄 feedyour.email 2.4.1 SQL Injection_PACKETSTORM:214784

Description

A SQL injection vulnerability exists in feedyour.email versions 2.4.1 and below. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality...

Visit Original Source

Basic Information

ID PACKETSTORM:214784

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions feedyour.email - SQL Injection via Search Parameter
Advisory ID: RO-26-003
CVE ID: CVE-2025-XXXX (Pending)
Severity: Critical
Vendor: indirect
Product: feedyour.email
Version: <=2.4.1

Overview #

A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.

Vulnerability Details #

Affected Versions: <=2.4.1

Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.

Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:

@posts = @posts.search(params[:q]).to_a

Exploitation Requirements #

No authentication required.
Attacker must have access to the search functionality.

Impact #

Remote attackers can exploit this vulnerability to:

Extract sensitive data from the database.
Modify or delete database contents.
Bypass authentication mechanisms.
Potentially achieve remote code execution depending on database configuration.

Proof of Concept #

Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.

Solution #

Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.

References #

GitHub Pull Request #732
Fix Commit

Timeline:

[2025-12-29] - Reported
[2025-12-30] - Fixed

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:35:39",
    "description": "A SQL injection vulnerability exists in feedyour.email versions 2.4.1 and below. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 feedyour.email 2.4.1 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214784",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "feedyour.email - SQL Injection via Search Parameter\n    Advisory ID: RO-26-003\n    CVE ID: CVE-2025-XXXX (Pending)\n    Severity: Critical\n    Vendor: indirect\n    Product: feedyour.email\n    Version: <=2.4.1\n    \n    \n    Overview #\n    \n    A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: <=2.4.1\n    \n    Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.\n    \n    Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:\n    \n    @posts = @posts.search(params[:q]).to_a\n    \n    \n    \n    Exploitation Requirements #\n    \n        No authentication required.\n        Attacker must have access to the search functionality.\n    \n    Impact #\n    \n    Remote attackers can exploit this vulnerability to:\n    \n        Extract sensitive data from the database.\n        Modify or delete database contents.\n        Bypass authentication mechanisms.\n        Potentially achieve remote code execution depending on database configuration.\n    \n    Proof of Concept #\n    \n    Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.\n    \n    \n    Solution #\n    \n    Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.\n    \n    \n    References #\n    \n        GitHub Pull Request #732\n        Fix Commit\n    \n    Timeline:\n    \n        [2025-12-29] - Reported\n        [2025-12-30] - Fixed\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214784",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214784/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply