Vulnerabilities ›

CVE-2026-6628

Medium

CWE-74 — Weakness Type

                    Published: Apr 20, 2026                      ·  Modified: Apr 23, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Executive Summary

A SQL injection vulnerability exists in Ecclesia CRM versions up to 8.0.0 in the Query Viewer Component's ValidateInput function, allowing remote attackers to manipulate the 'custom' argument. The vulnerability has a published exploit and the vendor has not responded to disclosure attempts.

📄 Description (Arabic)

ثغرة حقن SQL في Ecclesia CRM تؤثر على مكون عارض الاستعلامات حيث يمكن للمهاجمين التلاعب بمعامل 'custom' في دالة ValidateInput. يمكن استغلال هذه الثغرة عن بعد وقد تم نشر رمز الاستغلال بالفعل.

🤖 ملخص تنفيذي (AI)

ثغرة حقن SQL موجودة في نسخ Ecclesia CRM حتى الإصدار 8.0.0 في مكون عارض الاستعلامات، مما يسمح للمهاجمين البعيدين بمعالجة معامل 'custom'. تم نشر استغلال الثغرة ولم يستجب البائع لمحاولات الإفصاح.

🤖 AI Intelligence Analysis Analyzed: May 18, 2026 23:29

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1083 T1005

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade Ecclesia CRM to a patched version beyond 8.0.0 if available, or implement Web Application Firewall (WAF) rules to filter malicious SQL patterns in the /v2/query/view/ endpoint. Disable the Query Viewer Component if not required and apply input validation and parameterized queries.

🔧 خطوات المعالجة (العربية)

قم بترقية Ecclesia CRM فوراً إلى إصدار مصحح يتجاوز 8.0.0 إن توفر، أو طبق قواعد جدار حماية تطبيقات الويب لتصفية أنماط SQL الضارة في نقطة نهاية /v2/query/view/. عطل مكون عارض الاستعلامات إذا لم يكن مطلوباً وطبق التحقق من صحة الإدخال والاستعلامات المعاملة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.13.1.1 A.14.2.1

🔵 SAMA CSF

ID.RA-1 PR.DS-6 PR.IP-1

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1

🔗 References & Sources 4

🔗

https://github.com/NicolasPauferro/studiessqli

cna@vuldb.com

🔗

https://vuldb.com/submit/792607

cna@vuldb.com

🔗

https://vuldb.com/vuln/358262

cna@vuldb.com

🔗

https://vuldb.com/vuln/358262/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-74

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-04-20

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6628

Introduce Yourself

Sign In Required