{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30463", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-26T18:51:53.540Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T18:51:53.540Z"}, "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://pentest-tools.com/PTT-2025-030%E2%80%93SQL-Injection-via-Password-Reset.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component."}], "id": "CVE-2026-30463", "lastModified": "2026-03-26T19:17:00.183", "metrics": {}, "published": "2026-03-26T19:17:00.183", "references": [{"source": "cve@mitre.org", "url": "http://daylight.com"}, {"source": "cve@mitre.org", "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "url": "https://pentest-tools.com/PTT-2025-030%E2%80%93SQL-Injection-via-Password-Reset.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-03-26T21:55:31.413516+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or upgrade FuelCMS to a version that does not contain the vulnerability.", "If a patch is not available, restrict access to the Login controller by using firewall rules or network segmentation to prevent unauthorized users from reaching the vulnerable endpoint.", "Modify the source code to use prepared statements or parameterized queries for all database interactions in the Login and password\u2011reset flow.", "Validate all user\u2011supplied data and enforce strict input validation rules before processing.", "Monitor web application logs for unusual authentication attempts and report any suspicious activity to the security team."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Daylight Studio FuelCMS version 1.5.2. No other vendors or versions are listed as impacted.", "description_and_impact": "Daylight Studio FuelCMS version 1.5.2 contains a flaw in the /controllers/Login.php component that allows an attacker to supply unsanitized input as part of a password reset or login request, resulting in the execution of arbitrary SQL statements against the database. This vulnerability can lead to unauthorized reading or modification of data stored in the database, thereby compromising the confidentiality and integrity of sensitive information.", "risk_and_exploitability": "The advisory references a publicly available penetration testing report that demonstrates exploitation from a remote client with network access to the affected web application. The lack of an EPSS score and absence from the CISA KEV catalog indicates that the vendor has not yet released a public patch. Until remediation is applied, the risk remains that an attacker can manipulate the database by feeding crafted input through the exposed interface."}}}}, "created": "2026-03-27T08:36:24.942639+00:00", "updated": "2026-03-27T09:29:03.545080+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"], "weaknesses": ["CWE-89"]}