SQL Injection Vulnerability in phili67 Ecclesia CRM by phili67
CVE-2026-6628

5.3MEDIUM

Key Information:

Vendor: Phili67
Status: Ecclesia Crm
Vendor: CVE Published:; 20 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6628?

A security flaw exists in phili67 Ecclesia CRM versions up to 8.0.0, impacting the ValidateInput function located in the /v2/query/view/ path of the Query Viewer Component. By manipulating the 'custom' parameter, an attacker can exploit this vulnerability to execute SQL injection attacks. This exploit can be initiated remotely, allowing unauthorized access and manipulation of the database. The exploit has been publicly disclosed, and the vendor has not responded to prior notifications regarding this issue.

Affected Version(s)

Ecclesia CRM 8.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6628 - Proof of Concept

References

https://vuldb.com/vuln/358262

vdb-entrytechnical-description

https://vuldb.com/vuln/358262/cti

signaturepermissions-required

https://vuldb.com/submit/792607

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2026
👾
Exploit known to exist
Apr 20, 2026
Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

Nicolas Pauferro (VulDB User)

VulDB CNA Team

CVE-2026-6628 Data

JSON

Phili67