Platform
php
Component
querymine-sms
Fixed in
7.0.1
CVE-2026-6490 describes a SQL Injection vulnerability discovered in QueryMine sms, affecting versions up to 7ab5a9ea196209611134525ffc18de25c57d9593. This flaw allows attackers to inject malicious SQL code through the ID parameter in the admin/deletecourse.php file, potentially compromising sensitive data. Due to QueryMine's rolling release model, specific fixed versions are unavailable, necessitating alternative mitigation strategies.
The SQL Injection vulnerability in QueryMine sms presents a significant risk. An attacker could exploit this flaw to bypass authentication, retrieve sensitive data such as user credentials, financial information, or internal system configurations, and even execute arbitrary commands on the database server. Successful exploitation could lead to complete system compromise and data exfiltration. Given the public availability of the exploit, the potential for widespread attacks is high. The impact is amplified by the fact that QueryMine sms is often used in environments handling sensitive customer data, making it a prime target for malicious actors.
CVE-2026-6490 has been publicly disclosed and an exploit is available, indicating a high probability of exploitation. The vulnerability is tracked on the NVD and CISA websites. Given the ease of exploitation and the sensitivity of data potentially exposed, organizations using QueryMine sms should prioritize mitigation efforts. The CVSS score of 7.3 (HIGH) reflects the significant risk posed by this vulnerability.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
While a specific patched version isn't available due to QueryMine's rolling release model, several mitigation steps can reduce the risk. Implement strict input validation on the ID parameter in admin/deletecourse.php to prevent malicious SQL code from being injected. Deploy a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting this endpoint. Consider using parameterized queries or prepared statements to further isolate user input from SQL commands. Regularly review and audit database access logs for suspicious activity. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability with controlled test inputs.
Update to the latest available version of QueryMine sms. Due to the continuous release model, please consult the official documentation or contact the vendor for information on specific affected versions and available updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6490 is a SQL Injection vulnerability affecting QueryMine sms versions up to 7ab5a9ea196209611134525ffc18de25c57d9593, allowing attackers to inject malicious SQL code.
If you are using QueryMine sms versions prior to the rolling release updates, you are potentially affected. Check your current version against the affected range.
Due to the rolling release model, a specific patch isn't available. Implement input validation, WAF rules, and parameterized queries as mitigations.
Yes, an exploit is publicly available, indicating a high probability of active exploitation.
Refer to the QueryMine website and security advisories for updates and recommendations regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.