CVE-2023-36076
Published: 01 September 2023
Summary
CVE-2023-36076 is a critical-severity SQL Injection (CWE-89) vulnerability in Pocketmanga Smanga. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-36076 is a SQL injection vulnerability affecting smanga version 3.1.9 and earlier. The flaw exists in php/history/add.php and is triggered via the mediaId, mangaId, and userId parameters, corresponding to CWE-89.
Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code and obtain sensitive information. The vulnerability carries a CVSS 3.1 base score of 9.8 with an attack vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
The referenced GitHub issue documents the parameters and affected code path. The EPSS score stands at 0.4813 with no material rise from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40058
Vulnerability details
SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.