CVE 9.8 CRITICAL

CVE-2026-38581_CVE-2026-38581

June 11, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

AI Analysis

SQL Injection vulnerability allowing remote attackers to execute arbitrary SQL commands

Basic Information

ID CVE-2026-38581

Source mitre

Published Jun 11, 2026 at 00:00

Modified Jun 11, 2026 at 14:40

Affected Product

Vendor damasac

Product thaipalliative_lte

Version 3.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-89

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor damasac

Product thaipalliative_lte

Version 3.0

References

{
    "lastseen": "",
    "description": "SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.",
    "published": "2026-06-11T00:00:00.000Z",
    "modified": "2026-06-11T14:40:29.371Z",
    "type": "cve",
    "title": "CVE-2026-38581",
    "source": "mitre",
    "references": "https://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14\nhttps://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38581.md",
    "id": "CVE-2026-38581",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "thaipalliative_lte",
    "version": "3.0",
    "vendor": "damasac",
    "ai_description": "SQL Injection vulnerability allowing remote attackers to execute arbitrary SQL commands",
    "ai_severity": "Critical",
    "ai_vendor": "damasac",
    "ai_product": "thaipalliative_lte",
    "ai_version": "3.0",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply