CVE-2026-41460
published 2026-04-23CVE-2026-41460: SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.97%
57.5th percentile
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| socialengine | socialengine | <= 7.8.0 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fccm-2vww-q6qr: SocialEngine versions 7
ghsa_unreviewed·2026-04-23
CVE-2026-41460 [CRITICAL] CWE-89 GHSA-fccm-2vww-q6qr: SocialEngine versions 7
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
VulDB
SocialEngine up to 7.8.0 get-memberall text sql injection (EUVD-2026-25224)
vuldb·2026-04-23·CVSS 9.3
CVE-2026-41460 [CRITICAL] SocialEngine up to 7.8.0 get-memberall text sql injection (EUVD-2026-25224)
A vulnerability classified as critical was found in SocialEngine up to 7.8.0. This vulnerability affects unknown code of the file /activity/index/get-memberall. The manipulation of the argument text results in sql injection.
This vulnerability is reported as CVE-2026-41460. The attack can be launched remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-23
Published