Cyber Resilience

CVE-2022-46071

CriticalPublic PoC

Published: 14 December 2022

Published
14 December 2022
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6916 98.7th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46071 is a critical-severity SQL Injection (CWE-89) vulnerability in Helmet Store Showroom Site Project Helmet Store Showroom Site. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-46071 is an SQL injection vulnerability in the login page of Helmet Store Showroom version 1.0. The flaw, tracked under CWE-89, carries a CVSS 3.1 score of 9.8 and permits unauthenticated attackers to submit crafted input that alters backend database queries.

An attacker with network access to the application can exploit the login form to bypass authentication entirely, obtaining administrative privileges and full control over the affected instance. Successful exploitation grants the ability to read, modify, or delete data and potentially execute further actions within the application.

Public references consist of proof-of-concept videos and a technical write-up demonstrating the injection; no vendor advisory or patch information is included in the provided sources. The EPSS score currently stands at 0.6916 after reaching a peak of 0.7920.

EU & UK References

Vulnerability details

There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Login Page. This vulnerability can be exploited to bypass admin access.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

helmet store showroom site project
helmet store showroom site
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References