CVE-2026-42550

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.

Vulnerability Details

Published Date

May 06, 2026

Last Modified

May 14, 2026

CWE ID

CWE-89

Source

GitHub

Vendor

composer

Product

flightphp/core

External References

https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr
https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
https://github.com/flightphp/core/releases/tag/v3.18.1
https://github.com/advisories/GHSA-xwqr-rcqg-22mr

CVE-2026-42550

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment