CVE-2021-47915
Published: 01 February 2026
Summary
CVE-2021-47915 is a high-severity SQL Injection (CWE-89) vulnerability in Phpsugar Php Melody. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47915 is a remote SQL injection vulnerability (CWE-89) affecting PHP Melody version 3.0, specifically in the video edit module. The flaw stems from the unvalidated 'vid' parameter, which allows attackers to inject malicious SQL commands into database queries. This high-severity issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating significant impact on confidentiality and integrity without affecting availability.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the 'vid' parameter, they can execute arbitrary SQL queries, potentially extracting sensitive data, modifying database contents, or fully compromising the web application and underlying database management system.
Advisories and reports, including those from PHP Sugar (phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/ and phpmelody.html), Vulncheck (vulncheck.com/advisories/php-melody-sql-injection-vulnerability-via-edit-video-parameter), and Vulnerability Lab (vulnerability-lab.com/get_content.php?id=2295), provide details on the issue and associated fixes. Security practitioners should consult these resources for patch information and mitigation guidance, such as input validation or upgrades.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34756
Vulnerability details
PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the…
more
web application and database management system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via unauthenticated SQL injection in a web module parameter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the unvalidated 'vid' parameter to prevent injection of malicious SQL commands in the video edit module.
Ensures timely remediation of the specific SQL injection flaw in PHP Melody 3.0 through patching or code updates as advised in vulnerability reports.
Limits damage from successful SQL injection by enforcing least privilege on the database account used by the authenticated application user.