10 matches found
CVE-2026-42550
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...
CVE-2026-42550
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...
CVE-2026-42550
Flight (PHP) vulnerability CVE-2026-42550 affects SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() prior to version 3.18.1. These helpers concatenate the table name and data keys directly into SQL without identifier quoting or validation, enabling SQL injection when attacker-cont...
CVE-2026-42550 Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...
CVE-2026-42550 Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...
Flight SQL注入漏洞
Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained an SQL injection vulnerability. This vulnerability occurred because the methods SimplePdo::insert, SimplePdo::update, and SimplePdo::delete directly concatenated the $table parameter and the keys fr...
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Summary SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these...
GHSA-XWQR-RCQG-22MR Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
Summary SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the SimplePdo::insert, SimplePdo::update, and SimplePdo::delete functions. An attacker can execute arbitrary SQL commands by supplying crafted array keys or table names that are directly concatenated into SQL statement...
PT-2026-38272
Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The SimplePdo::insert, SimplePdo::update, and SimplePdo::delete functions build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query without...