CVE-2026-41460
Published: 23 April 2026
Summary
CVE-2026-41460 is a critical-severity SQL Injection (CWE-89) vulnerability in Socialengine Socialengine. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of user-supplied input like the text parameter before incorporation into SQL queries.
Ensures timely remediation of the specific SQL injection flaw in the /activity/index/get-memberall endpoint through patching and testing.
Vulnerability scanning identifies SQL injection vulnerabilities such as CVE-2026-41460 in the application, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing SocialEngine web application directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access; facilitates arbitrary database reads via T1213.006 (Databases), supporting data exfiltration and password resets.
NVD Description
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability…
more
to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
Deeper analysisAI
CVE-2026-41460 is a SQL injection vulnerability (CWE-89) affecting SocialEngine versions 7.8.0 and prior. The flaw resides in the /activity/index/get-memberall endpoint, where user-supplied input via the text parameter is not sanitized before being incorporated into a SQL query. Published on 2026-04-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity. Successful exploitation allows reading arbitrary data from the database, resetting administrator account passwords, and gaining unauthorized access to the Packages Manager in the Admin Panel, which can potentially lead to remote code execution.
Advisories detailing the vulnerability and mitigation strategies are available from sources including Karma Insecurity (KIS-2026-08 at https://karmainsecurity.com/KIS-2026-08), VulnCheck (https://www.vulncheck.com/advisories/socialengine-sql-injection-via-activity-index-get-memberall), Full Disclosure (http://seclists.org/fulldisclosure/2026/Apr/12), and the vendor site (https://socialengine.com). Security practitioners should consult these references for patch information and remediation guidance.
Details
- CWE(s)