Scan free
HIGHCVE-2026-6490CVSS 7.3

CVE-2026-6490: SQL Injection in QueryMine sms

Platform

php

Component

querymine-sms

Fixed in

7.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-6490 describes a SQL Injection vulnerability discovered in QueryMine sms, affecting versions up to 7ab5a9ea196209611134525ffc18de25c57d9593. This flaw allows attackers to inject malicious SQL code through the ID parameter in the admin/deletecourse.php file, potentially compromising sensitive data. Due to QueryMine's rolling release model, specific fixed versions are unavailable, necessitating alternative mitigation strategies.

Impact and Attack Scenarios

The SQL Injection vulnerability in QueryMine sms presents a significant risk. An attacker could exploit this flaw to bypass authentication, retrieve sensitive data such as user credentials, financial information, or internal system configurations, and even execute arbitrary commands on the database server. Successful exploitation could lead to complete system compromise and data exfiltration. Given the public availability of the exploit, the potential for widespread attacks is high. The impact is amplified by the fact that QueryMine sms is often used in environments handling sensitive customer data, making it a prime target for malicious actors.

Exploitation Context

CVE-2026-6490 has been publicly disclosed and an exploit is available, indicating a high probability of exploitation. The vulnerability is tracked on the NVD and CISA websites. Given the ease of exploitation and the sensitivity of data potentially exposed, organizations using QueryMine sms should prioritize mitigation efforts. The CVSS score of 7.3 (HIGH) reflects the significant risk posed by this vulnerability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentquerymine-sms
VendorQueryMine
Affected rangeFixed in
7ab5a9ea196209611134525ffc18de25c57d9593 – 7ab5a9ea196209611134525ffc18de25c57d95937.0.1

Weakness Classification (CWE)

CWE-89CWE-74

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 37 days since disclosure

Mitigation and Workarounds

While a specific patched version isn't available due to QueryMine's rolling release model, several mitigation steps can reduce the risk. Implement strict input validation on the ID parameter in admin/deletecourse.php to prevent malicious SQL code from being injected. Deploy a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting this endpoint. Consider using parameterized queries or prepared statements to further isolate user input from SQL commands. Regularly review and audit database access logs for suspicious activity. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability with controlled test inputs.

How to fix

Update to the latest available version of QueryMine sms. Due to the continuous release model, please consult the official documentation or contact the vendor for information on specific affected versions and available updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-6490 — SQL Injection in QueryMine sms?

CVE-2026-6490 is a SQL Injection vulnerability affecting QueryMine sms versions up to 7ab5a9ea196209611134525ffc18de25c57d9593, allowing attackers to inject malicious SQL code.

Am I affected by CVE-2026-6490 in QueryMine sms?

If you are using QueryMine sms versions prior to the rolling release updates, you are potentially affected. Check your current version against the affected range.

How do I fix CVE-2026-6490 in QueryMine sms?

Due to the rolling release model, a specific patch isn't available. Implement input validation, WAF rules, and parameterized queries as mitigations.

Is CVE-2026-6490 being actively exploited?

Yes, an exploit is publicly available, indicating a high probability of active exploitation.

Where can I find the official QueryMine advisory for CVE-2026-6490?

Refer to the QueryMine website and security advisories for updates and recommendations regarding this vulnerability.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs