Skip to main content

Fox Lms CVE-2026-31922

| EUVDEUVD-2026-11798 HIGH
SQL Injection (CWE-89)
2026-03-13 Patchstack
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11798
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.

AnalysisAI

Fox LMS versions 1.0.6.3 and earlier are vulnerable to blind SQL injection attacks through improper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries and potentially exfiltrate sensitive database information. The vulnerability requires user authentication but can be exploited remotely with no user interaction needed, and carries a high CVSS score of 8.5. No patch is currently available for affected organizations.

Technical ContextAI

Fox LMS is a learning management system developed by Ays Pro that suffers from improper neutralization of special elements in SQL commands (CWE-89). This classic SQL injection vulnerability occurs when user-supplied input is inadequately sanitized before being incorporated into SQL queries, allowing attackers to manipulate the query structure. The blind SQL injection variant means attackers cannot see direct query results but can infer information through boolean-based or time-based techniques by observing application behavior differences.

RemediationAI

Upgrade Fox LMS to a version newer than 1.0.6.3 if available from Ays Pro, though no specific patched version has been identified in the available sources. In the absence of a vendor patch, implement web application firewall (WAF) rules to filter SQL injection attempts, enforce parameterized queries or stored procedures if you have access to modify the application, and apply the principle of least privilege to database accounts used by Fox LMS. Monitor database logs for suspicious query patterns that may indicate exploitation attempts.

Share

CVE-2026-31922 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy