CVE-2026-41460CRITICAL 9.8EPSS p57.3%

CVE-2026-41460CVE-2026-41460

Description

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.97% probability of exploitation · percentile 57.3% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-29

Underlying weaknesses· 1

CWE-89

References

  1. https://karmainsecurity.com/KIS-2026-08
  2. https://socialengine.com
  3. https://www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberall
  4. http://seclists.org/fulldisclosure/2026/Apr/12
  5. https://karmainsecurity.com/KIS-2026-08
  6. https://karmainsecurity.com/pocs/CVE-2026-41460.php

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41461
CVE
CVE-2026-39109
CVE
CVE-2025-46109
CVE
CVE-2026-5073
CVE
CVE-2026-4815
CVE
CVE-2026-2083
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.