Flight PHP CVE-2026-42550
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers - a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) - an attacker can inject arbitrary SQL by crafting malicious array keys.
Affected code
flight/database/SimplePdo.php:
// insert (≈ 320-373)
$sql = sprintf(
"INSERT INTO %s (%s) VALUES (%s)",
$table, // raw concat
implode(', ', $columns), // raw array_keys($data)
implode(', ', $placeholders)
);
// update (≈ 397-409)
$sets[] = "$column = ?"; // $column = user-controlled key
$sql = sprintf(
"UPDATE %s SET %s WHERE %s",
$table, // raw
implode(', ', $sets),
$where
);
// delete (≈ 427-429)
$sql = "DELETE FROM $table WHERE $where";No identifier-quoting helper exists; neither $table nor the data keys are validated against a safe-identifier pattern.
Proof of concept
A controller does:
$db->insert('users', $request->data->getData());The attacker sends the JSON body:
{"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}Generated SQL:
INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)After the -- comment, the effective statement INSERT INTO users (name, is_admin) VALUES (?, 1) binds the single placeholder 'attacker_injected', yielding a row with is_admin = 1.
Reproduced live on an in-memory sqlite database (testproj/sqli_live2.php):
id=1 name=alice is_admin=0
id=2 name=attacker_injected is_admin=1 <-- injected insertUPDATE injection via the $where parameter was also reproduced: $db->update('users', ['is_admin' => 1], "id = 1 OR 1=1") flips admin on every row.
Impact
- Privilege escalation on any signup / register endpoint that forwards request data to
insert()(attacker creates an administrative account in a single request). - Arbitrary column write through
update()keys. - Data destruction and exfiltration through the
$whereparameter (DELETE FROM users WHERE 1=1, UNION-based exfil, etc.).
Patch (fixed in 3.18.1, commit b8dd23a)
A new requireSafeIdentifier() helper validates table names and column names against ^[A-Za-z_][A-Za-z0-9_]*$ before they are interpolated into the SQL string. The $where parameter remains raw SQL as documented - parameterized values passed alongside it continue to be bound safely.
Credit
Discovered by @Rootingg.
AnalysisAI
SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.
Technical ContextAI
Flight PHP is a lightweight PHP micro-framework. The vulnerability exists in the SimplePdo database abstraction layer (flight/database/SimplePdo.php), a convenience wrapper over PHP's PDO. CWE-89 (SQL Injection) occurs because SimplePdo::insert(), update(), and delete() concatenate the $table parameter and all keys from the $data associative array directly into SQL strings using sprintf() and implode() without identifier quoting or validation. While placeholder binding protects VALUES, the column identifiers derived from array_keys($data) remain unquoted. PHP associative arrays allow arbitrary string keys, so user input shapes like {'malicious; DROP TABLE--': 'value'} pass through JSON deserialization into array keys, then directly into column positions in INSERT/UPDATE statements. The $where parameter in update() and delete() is documented as raw SQL but lacks guardrails. The patch introduces requireSafeIdentifier() enforcing the safe pattern ^[A-Za-z_][A-Za-z0-9_]*$ before interpolation, typical of SQL identifier validation but absent in the original design. CPE pkg:composer/flightphp_core indicates Composer/Packagist distribution.
RemediationAI
Upgrade flightphp/core to version 3.18.1 or later immediately. Update composer.json to require 'flightphp/core: ^3.18.1' and run composer update. The patch (commit b8dd23aaa828cb289fa3c84e75b2a3717cab50b0) introduces requireSafeIdentifier() validation for table names and column identifiers before SQL interpolation, blocking injection attempts. Verify the upgrade by checking vendor/flightphp/core/flight/database/SimplePdo.php contains the new requireSafeIdentifier() method. For environments unable to upgrade immediately, implement strict input validation before calling SimplePdo methods: whitelist allowed column names, reject any $data array keys not matching [A-Za-z_][A-Za-z0-9_]*, and sanitize $where clauses (though the framework documents $where as raw SQL, treat it as untrusted input). Alternatively, replace SimplePdo calls with direct parameterized PDO queries using quoted identifiers via PDO::quote() or a safe identifier-quoting function, though this requires code changes. Advisory and patch details available at https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr and https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xwqr-rcqg-22mr