Cyber Resilience

CVE-2021-47766

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 3.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47766 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2021-47766 is an authenticated SQL injection vulnerability (CWE-89) in Kmaleon version 1.1.0.205. The issue affects the 'tipocomb' parameter in the kmaleonW.php component, where insufficient input validation allows attackers to manipulate database queries using boolean-based, error-based, and time-based blind SQL injection techniques.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and exploitation requiring low-privilege authenticated access without user interaction. Attackers can leverage this to extract sensitive database information or perform limited manipulation, achieving high confidentiality impact and low integrity impact with no availability disruption.

References include a web archive of the vendor site at https://web.archive.org/web/20210616143348/https://www.levelprograms.com/kmaleon-abogados/ and an Exploit-DB entry (https://www.exploit-db.com/exploits/50499) providing details on exploitation techniques. No specific patch or mitigation guidance is detailed in the available information.

EU & UK References

Vulnerability details

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate…

more

database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Authenticated SQL injection directly enables exploitation of a web app (T1190) and extraction/manipulation of database contents (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'tipocomb' parameter to block boolean-, error-, and time-based SQL injection payloads before they reach the database query in kmaleonW.php.

prevent

Requires suppression of verbose database error messages that enable error-based blind SQL injection exploitation of the unauthenticated parameter.

prevent

Limits the database privileges granted to the low-privilege authenticated account, reducing the impact of any successful query manipulation via the vulnerable parameter.

References