GHSA-xwqr-rcqg-22mr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xwqr-rcqg-22mr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xwqr-rcqg-22mr/GHSA-xwqr-rcqg-22mr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xwqr-rcqg-22mr
- Aliases
-
- CVE-2026-42550
- Published
- 2026-05-06T21:35:55Z
- Modified
- 2026-05-06T21:49:51.994849Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
- Details
-
Summary
SimplePdo::insert(),SimplePdo::update(), andSimplePdo::delete()build SQL statements by concatenating the$tableargument and the keys of the$dataarray directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g.$db->insert('users', $request->data->getData())— an attacker can inject arbitrary SQL by crafting malicious array keys.Affected code
flight/database/SimplePdo.php:// insert (≈ 320-373) $sql = sprintf( "INSERT INTO %s (%s) VALUES (%s)", $table, // raw concat implode(', ', $columns), // raw array_keys($data) implode(', ', $placeholders) ); // update (≈ 397-409) $sets[] = "$column = ?"; // $column = user-controlled key $sql = sprintf( "UPDATE %s SET %s WHERE %s", $table, // raw implode(', ', $sets), $where ); // delete (≈ 427-429) $sql = "DELETE FROM $table WHERE $where";No identifier-quoting helper exists; neither
$tablenor the data keys are validated against a safe-identifier pattern.Proof of concept
A controller does:
$db->insert('users', $request->data->getData());The attacker sends the JSON body:
{"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}Generated SQL:
INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)After the
--comment, the effective statementINSERT INTO users (name, is_admin) VALUES (?, 1)binds the single placeholder'attacker_injected', yielding a row withis_admin = 1.Reproduced live on an in-memory sqlite database (
testproj/sqli_live2.php):id=1 name=alice is_admin=0 id=2 name=attacker_injected is_admin=1 <-- injected insertUPDATEinjection via the$whereparameter was also reproduced:$db->update('users', ['is_admin' => 1], "id = 1 OR 1=1")flips admin on every row.Impact
- Privilege escalation on any signup / register endpoint that forwards request data to
insert()(attacker creates an administrative account in a single request). - Arbitrary column write through
update()keys. - Data destruction and exfiltration through the
$whereparameter (DELETE FROM users WHERE 1=1, UNION-based exfil, etc.).
Patch (fixed in
3.18.1, commitb8dd23a)A new
requireSafeIdentifier()helper validates table names and column names against^[A-Za-z_][A-Za-z0-9_]*$before they are interpolated into the SQL string. The$whereparameter remains raw SQL as documented — parameterized values passed alongside it continue to be bound safely.Credit
Discovered by @Rootingg.
- Privilege escalation on any signup / register endpoint that forwards request data to
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-06T21:35:55Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "nvd_published_at": null }- References
Affected packages
Packagist / flightphp/core
Package
- Name
- flightphp/core
- Purl
- pkg:composer/flightphp/core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.18.1