📄 SocialEngine 7.8.0 SQL Injection_PACKETSTORM:219705

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

SocialEngine versions 7.8.0 and below suffer from a remote SQL injection vulnerability. User input passed through the text request parameter to the /activity/index/get-memberall endpoint is not properly sanitized before being used to construct an SQL...

Visit Original Source

Basic Information

ID PACKETSTORM:219705

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions -----------------------------------------------------------------
SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability
-----------------------------------------------------------------

[-] Software Link:

https://socialengine.com

[-] Affected Versions:

Versions 7.8.0, 7.7.0, and likely prior versions.

[-] Vulnerability Description:

User input passed through the "text" request parameter to the
/activity/index/get-memberall endpoint is not properly sanitized
before being used to construct an SQL query. This can be exploited by
remote, unauthenticated attackers to read arbitrary, sensitive data
from the underlying database through in-band SQL Injection attacks.

NOTE: this might also be exploited to reset admin users' passwords and
gain unauthorized access to the "Packages Manager" in the Admin Panel,
in order to achieve Remote Code Execution (RCE).

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-41460.php

[-] Solution:

No official solution is currently available.

[-] Disclosure Timeline:

[02/02/2026] - Vulnerability confirmed on version 7.7.0

[02/02/2026] - Vendor notified

[09/02/2026] - Vendor response stating "We are currently validating
your report... If this issue is confirmed, we will prioritize
appropriate fixes and include them in an upcoming update."

[27/02/2026] - Vendor released version 7.8.0, but the vulnerability is
still not fixed

[02/03/2026] - Vendor contacted again

[09/03/2026] - Vendor response stating "We will check and update you."

[23/03/2026] - Vendor notified about 60-day disclosure deadline policy

[25/03/2026] - Vendor said this issue has been fixed on the demo
website, and invited me to test it

[25/03/2026] - Vendor was informed the demo website looks not vulnerable anymore

[03/04/2026] - Reached 60-day disclosure deadline, still no official solution

[21/04/2026] - CVE identifier requested

[22/04/2026] - CVE identifier assigned

[23/04/2026] - Public disclosure

[-] CVE Reference:

CVE-2026-41460 has been assigned to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-08

{
    "lastseen": "2026-04-23T17:40:14",
    "description": "SocialEngine versions 7.8.0 and below suffer from a remote SQL injection vulnerability. User input passed through the text request parameter to the /activity/index/get-memberall endpoint is not properly sanitized before being used to construct an SQL...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 SocialEngine 7.8.0 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219705",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-41460"
    ],
    "sourceData": "-----------------------------------------------------------------\n    SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability\n    -----------------------------------------------------------------\n    \n    \n    [-] Software Link:\n    \n    https://socialengine.com\n    \n    \n    [-] Affected Versions:\n    \n    Versions 7.8.0, 7.7.0, and likely prior versions.\n    \n    \n    [-] Vulnerability Description:\n    \n    User input passed through the \"text\" request parameter to the\n    /activity/index/get-memberall endpoint is not properly sanitized\n    before being used to construct an SQL query. This can be exploited by\n    remote, unauthenticated attackers to read arbitrary, sensitive data\n    from the underlying database through in-band SQL Injection attacks.\n    \n    NOTE: this might also be exploited to reset admin users' passwords and\n    gain unauthorized access to the \"Packages Manager\" in the Admin Panel,\n    in order to achieve Remote Code Execution (RCE).\n    \n    \n    [-] Proof of Concept:\n    \n    https://karmainsecurity.com/pocs/CVE-2026-41460.php\n    \n    \n    [-] Solution:\n    \n    No official solution is currently available.\n    \n    \n    [-] Disclosure Timeline:\n    \n    [02/02/2026] - Vulnerability confirmed on version 7.7.0\n    \n    [02/02/2026] - Vendor notified\n    \n    [09/02/2026] - Vendor response stating \"We are currently validating\n    your report... If this issue is confirmed, we will prioritize\n    appropriate fixes and include them in an upcoming update.\"\n    \n    [27/02/2026] - Vendor released version 7.8.0, but the vulnerability is\n    still not fixed\n    \n    [02/03/2026] - Vendor contacted again\n    \n    [09/03/2026] - Vendor response stating \"We will check and update you.\"\n    \n    [23/03/2026] - Vendor notified about 60-day disclosure deadline policy\n    \n    [25/03/2026] - Vendor said this issue has been fixed on the demo\n    website, and invited me to test it\n    \n    [25/03/2026] - Vendor was informed the demo website looks not vulnerable anymore\n    \n    [03/04/2026] - Reached 60-day disclosure deadline, still no official solution\n    \n    [21/04/2026] - CVE identifier requested\n    \n    [22/04/2026] - CVE identifier assigned\n    \n    [23/04/2026] - Public disclosure\n    \n    \n    [-] CVE Reference:\n    \n    CVE-2026-41460 has been assigned to this vulnerability.\n    \n    \n    [-] Credits:\n    \n    Vulnerability discovered by Egidio Romano.\n    \n    \n    [-] Original Advisory:\n    \n    https://karmainsecurity.com/KIS-2026-08",
    "sourceHref": "https://packetstorm.news/download/219705",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219705/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply