SocialEngine

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

AI Analysis

SQL injection vulnerability in SocialEngine via the /activity/index/get-memberall endpoint, allowing remote attackers to read arbitrary data and gain unauthorized access.

Basic Information

ID CVE-2026-41460

Source VulnCheck

Published Apr 23, 2026 at 13:44

Modified Apr 23, 2026 at 15:09

Affected Product

Vendor SocialEngine

Product SocialEngine

Affected Versions SocialEngine SocialEngine 0

CWE Classification

CWE-89

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor SocialEngine

Product SocialEngine

Version 7.8.0 and prior

References

{
    "lastseen": "",
    "description": "SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.",
    "published": "2026-04-23T13:44:51.140Z",
    "modified": "2026-04-23T15:09:06.562Z",
    "type": "cve",
    "title": "SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall",
    "source": "VulnCheck",
    "references": "https://karmainsecurity.com/KIS-2026-08\nhttps://socialengine.com\nhttps://www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberall",
    "id": "CVE-2026-41460",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "SocialEngine SocialEngine 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SocialEngine",
    "version": "0",
    "vendor": "SocialEngine",
    "ai_description": "SQL injection vulnerability in SocialEngine via the /activity/index/get-memberall endpoint, allowing remote attackers to read arbitrary data and gain unauthorized access.",
    "ai_severity": "Critical",
    "ai_vendor": "SocialEngine",
    "ai_product": "SocialEngine",
    "ai_version": "7.8.0 and prior",
    "ai_score": 9.3
}

SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall_CVE-2026-41460