Skip to main content

Tainacan CVE-2026-42740

| EUVDEUVD-2026-32192 CRITICAL
SQL Injection (CWE-89)
2026-05-27 audit@patchstack.com GHSA-9h9p-24mg-7v88
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:46 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3.

AnalysisAI

Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.

Technical ContextAI

Tainacan is an open-source WordPress plugin used to build and manage digital repositories and collections (commonly deployed by museums, archives, libraries, and universities). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input reaches a database query without proper sanitization or parameterization. The 'blind' classification indicates the attacker does not see query results directly in responses but infers data through boolean/time-based behavioral differences. The CVSS scope-changed flag (S:C) suggests the injection can affect resources beyond the vulnerable component's security authority - consistent with SQLi reaching the shared WordPress/MySQL backend that other site components rely on.

RemediationAI

No vendor-released patch version is identified in the available data, so a specific fixed release cannot be cited; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/tainacan/vulnerability/wordpress-tainacan-plugin-1-0-3-sql-injection-vulnerability?_s_id=cve) and the plugin's WordPress.org page for an updated version above 1.0.3 and upgrade as soon as one is published. Until a fixed release is confirmed, restrict access to the affected endpoints by placing the WordPress site or its admin/REST paths behind a WAF or virtual-patching rule (Patchstack and similar services offer signatures for this CVE) - note this may produce false positives on legitimate query parameters. As an interim measure, deactivate the Tainacan plugin if its functionality is not business-critical, accepting the trade-off that collection/repository features will be unavailable. Additionally, limit network exposure of the site to trusted users where feasible and apply least-privilege to the WordPress database account to reduce the blast radius of a successful injection.

Share

CVE-2026-42740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy