cbcvebase.
CVE-2026-42647
published 2026-06-11

CVE-2026-42647: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue…

PriorityP277critical9.3CVSS 3.1
AVNACLPRNUINSCCHINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.32%
67.3th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.

Affected

1 ranges
VendorProductVersion rangeFixed in
beardevjoomsportn/a – 5.7.7

Detection & IOCsextracted from sources · hover to see the quote

url{{season_path}}?action=playerlist&sortf=post_title%60,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)%23&sortd=ASC
commandpost_title`,(SELECT/**/x/**/FROM/**/(SELECT/**/SLEEP(6)/**/AS/**/x)/**/AS/**/t)#
  • Detect time-based blind SQLi attempts against JoomSport's playerlist endpoint by monitoring for requests to paths matching the season/playerlist pattern with a `sortf` parameter containing SQL comment sequences (/**/) and SLEEP() calls.
  • Flag HTTP requests where the `sortf` query parameter contains a backtick character (%60) followed by SQL injection payloads using inline comment obfuscation (/**/) — a hallmark of this exploit.
  • A successful exploitation attempt results in a response time >= 6 seconds with HTTP 200 and a body containing the strings 'Name', 'Match played', and 'Played minutes' — use response-time anomaly detection on this endpoint.
  • The initial reconnaissance step queries the playerlist endpoint with legitimate parameters (action=playerlist&sortf=post_title&sortd=ASC); monitor for this pattern as a precursor to the injection attempt.
  • ·The exploit is a multi-step attack: the first stage discovers the season path dynamically from the JoomSport page body before constructing the injection URL. Detection rules must account for the path being variable/unknown in advance.
  • ·The SQL injection payload uses comment-based whitespace obfuscation (/**/) to bypass naive WAF/IDS keyword matching on spaces; signatures must account for this encoding.
  • ·The time-based detection threshold is set at 6 seconds (SLEEP(6)); a network timeout of 20 seconds is configured for the exploit request, so detection based solely on response time may produce false negatives in high-latency environments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.