Primary

Context

Fuel CMS Blind SQL Injection Vulnerability in Activity Log

Vulnerability

A blind SQL injection vulnerability has been identified in Fuel CMS version 1.4.13. This vulnerability allows authenticated attackers to inject SQL code through the 'col' parameter in the Activity Log interface, manipulating database queries and extracting information based on response time delays.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can manipulate database queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, log into the Fuel CMS admin panel and navigate to the 'Activity Log' menu. Select any type option, and the 'col' parameter will be vulnerable. Inject a SQL payload, such as a sleep command, into the 'col' parameter to create a delay in the response, indicating successful exploitation.

Added: May 16, 2026, 4:19 PM

Updated: May 16, 2026, 4:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.6

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fuel CMS Blind SQL Injection Vulnerability in Activity Log

Vulnerability

Impact

Reproduction

Affected Products

Fuel CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating