Cyber Posture

CVE-2026-41460

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability…

more

to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by requiring validation and sanitization of user-supplied input like the text parameter before incorporation into SQL queries.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific SQL injection flaw in the /activity/index/get-memberall endpoint through patching and testing.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies SQL injection vulnerabilities such as CVE-2026-41460 in the application, enabling proactive remediation.

Security SummaryAI

CVE-2026-41460 is a SQL injection vulnerability (CWE-89) affecting SocialEngine versions 7.8.0 and prior. The flaw resides in the /activity/index/get-memberall endpoint, where user-supplied input via the text parameter is not sanitized before being incorporated into a SQL query. Published on 2026-04-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity. Successful exploitation allows reading arbitrary data from the database, resetting administrator account passwords, and gaining unauthorized access to the Packages Manager in the Admin Panel, which can potentially lead to remote code execution.

Advisories detailing the vulnerability and mitigation strategies are available from sources including Karma Insecurity (KIS-2026-08 at https://karmainsecurity.com/KIS-2026-08), VulnCheck (https://www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberall), Full Disclosure (http://seclists.org/fulldisclosure/2026/Apr/12), and the vendor site (https://socialengine.com). Security practitioners should consult these references for patch information and remediation guidance.

Details

CWE(s)
CWE-89

Affected Products

socialengine
socialengine
≤ 7.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing SocialEngine web application directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access; facilitates arbitrary database reads via T1213.006 (Databases), supporting data exfiltration and password resets.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References