CVE-2021-47766
Published: 15 January 2026
Summary
CVE-2021-47766 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2021-47766 is an authenticated SQL injection vulnerability (CWE-89) in Kmaleon version 1.1.0.205. The issue affects the 'tipocomb' parameter in the kmaleonW.php component, where insufficient input validation allows attackers to manipulate database queries using boolean-based, error-based, and time-based blind SQL injection techniques.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and exploitation requiring low-privilege authenticated access without user interaction. Attackers can leverage this to extract sensitive database information or perform limited manipulation, achieving high confidentiality impact and low integrity impact with no availability disruption.
References include a web archive of the vendor site at https://web.archive.org/web/20210616143348/https://www.levelprograms.com/kmaleon-abogados/ and an Exploit-DB entry (https://www.exploit-db.com/exploits/50499) providing details on exploitation techniques. No specific patch or mitigation guidance is detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2773
Vulnerability details
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate…
more
database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated SQL injection directly enables exploitation of a web app (T1190) and extraction/manipulation of database contents (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'tipocomb' parameter to block boolean-, error-, and time-based SQL injection payloads before they reach the database query in kmaleonW.php.
Requires suppression of verbose database error messages that enable error-based blind SQL injection exploitation of the unauthenticated parameter.
Limits the database privileges granted to the low-privilege authenticated account, reducing the impact of any successful query manipulation via the vulnerable parameter.