{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30463", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T19:53:15.741Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T18:51:53.540Z"}, "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://pentest-tools.com/PTT-2025-030%E2%80%93SQL-Injection-via-Password-Reset.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:51:55.482895Z", "id": "CVE-2026-30463", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:53:15.741Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30463", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:51:55.482895Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:52:28.659Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://pentest-tools.com/PTT-2025-030%E2%80%93SQL-Injection-via-Password-Reset.pdf"}], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T18:51:53.540Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30463", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:53:15.741Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "E3A44312-83D2-4421-9A35-3FD048EA578A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component."}, {"lang": "es", "value": "Daylight Studio FuelCMS v1.5.2 se descubri\u00f3 que conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s del componente /controllers/Login.php."}], "id": "CVE-2026-30463", "lastModified": "2026-03-30T14:14:29.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T19:17:00.183", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://daylight.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest-tools.com/PTT-2025-030%E2%80%93SQL-Injection-via-Password-Reset.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-03-30T16:27:57.301545+00:00", "value": {"mitigation_remediation": ["Apply the official patch or upgrade to a newer release of FuelCMS if one is available.", "If no patch is released yet, limit external access to the Login.php endpoint by configuring firewall rules or IP whitelisting to allow only trusted networks.", "Implement input validation or switch to parameterized queries on the login fields, if you maintain the code.", "Continuously monitor authentication logs for anomalous behavior and investigate any suspicious login attempts."], "summary": {"action": "Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Daylight Studio FuelCMS, release 1.5.2, as identified by the CPE string cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2. No other vendors, products, or versions are listed in the advisory, so the risk applies only to this single version.", "description_and_impact": "The FuelCMS application by Daylight Studio version 1.5.2 contains a SQL injection flaw in the Login.php controller. The vulnerability allows an attacker who can send a specially crafted HTTP request to the login endpoint to inject arbitrary SQL statements into the backend database query. Successful exploitation can read, modify, or delete data, compromising the confidentiality, integrity, and availability of the CMS content and user information.", "risk_and_exploitability": "The CVSS base score of 7.7 indicates high severity, while the EPSS probability of less than 1\u202f% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. It can be inferred that the attack vector is a web\u2011based request to the Login.php controller, typically by submitting injected input through the login form or related authentication fields. With network access to the affected web application, an attacker could execute arbitrary SQL commands, potentially leading to data exposure or modification."}}}}, "created": "2026-03-27T08:36:24.942639+00:00", "title": "SQL Injection via Login Controller in FuelCMS 1.5.2", "updated": "2026-03-30T20:57:47.517590+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}