Cyber Resilience

CVE-2021-47909

HighPublic PoC

Published: 01 February 2026

Published
01 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47909 is a high-severity SQL Injection (CWE-89) vulnerability in Vulnerability Lab (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47909 involves multiple SQL injection vulnerabilities (CWE-89) in Mult-E-Cart Ultimate version 2.4. These flaws affect the inventory, customer, vendor, and order modules, where the 'id' parameter fails to properly sanitize user input, enabling injection of malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility and low prerequisite privileges.

Attackers with privileged vendor or admin roles can exploit these issues remotely without user interaction. By manipulating the vulnerable 'id' parameter, they can execute arbitrary SQL commands, compromising the database management system through unauthorized data extraction, modification, or other integrity violations, achieving high confidentiality and integrity impacts.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/mult-e-cart-ultimate-sql-injection-via-vulnerable-id-parameters) and Vulnerability Lab (https://www.vulnerability-lab.com/get_content.php?id=2306) detail the issues, while vendor resources at https://ultimate.multecart.com/ and https://www.techraft.in/ may provide further guidance on patches or mitigations. Security practitioners should review these for specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a publicly accessible web application directly enables remote exploitation of the app (T1190) for DB compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Vulnerability Lab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation and sanitization of parameters like 'id' to prevent SQL injection exploitation in affected modules.

prevent

Mandates timely identification, reporting, and correction of software flaws such as the SQL injection vulnerabilities in Mult-E-Cart Ultimate 2.4.

detect

Facilitates vulnerability scanning to identify SQL injection flaws like those in the 'id' parameter before privileged attackers can exploit them.

References