SQL Injection Vulnerability in SocialEngine by SocialEngine
CVE-2026-41460

9.3CRITICAL

Key Information:

Vendor

Socialengine

Status
Socialengine
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41460?

SocialEngine versions up to 7.8.0 are vulnerable to a SQL injection flaw in the /activity/index/get-memberall endpoint. This issue arises from the lack of sanitization of user-supplied input in the text parameter, allowing unauthenticated attackers to manipulate SQL queries. Exploiting this vulnerability could allow attackers to read sensitive data stored in the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager within the Admin Panel, which may lead to remote code execution. Organizations using affected versions should take immediate measures to secure their applications.

Affected Version(s)

SocialEngine 0 <= 7.8.0

References

https://karmainsecurity.com/KIS-2026-08
technical-description
https://socialengine.com
product
https://www.vulncheck.com/advisories/socialengine-sql-inj...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano
.