{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30655", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T18:52:36.857Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T14:50:17.592Z"}, "descriptions": [{"lang": "en", "value": "SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/esiclivre/esiclivre"}, {"url": "https://github.com/brynax/CVE-2026-30655"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:52:31.238420Z", "id": "CVE-2026-30655", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:52:36.857Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:52:31.238420Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:52:25.868Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/esiclivre/esiclivre"}, {"url": "https://github.com/brynax/CVE-2026-30655"}], "descriptions": [{"lang": "en", "value": "SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T14:50:17.592Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30655", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:52:36.857Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esiclivre:esiclivre:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FD12C00-376D-448B-8142-47C3F624106B", "versionEndIncluding": "0.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php"}], "id": "CVE-2026-30655", "lastModified": "2026-03-25T20:53:47.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T15:16:34.243", "references": [{"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/brynax/CVE-2026-30655"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/esiclivre/esiclivre"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "esiclivre", "vendor": "esiclivre"}], "analysis": {"en": {"generated_at": "2026-03-25T23:52:27.983149+00:00", "value": {"mitigation_remediation": ["Verify the esiclivre version in use and upgrade to a release that has fixed the SQL injection vulnerability, if available.", "If an official patch is not released, modify the code in Solicitante::resetaSenha() to use parameterized queries or input validation for the cpfcnpj parameter.", "Restrict access to /reset/index.php by implementing authentication or IP filtering until the code is fixed.", "Deploy a web application firewall rule or similar network filtering to block suspicious injection patterns targeting the cpfcnpj field.", "Monitor application logs for unusual requests to /reset/index.php and investigate potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Database disclosure via SQL injection"}, "threat_synthesis": {"affected_systems": "The affected product is esiclivre/esiclivre version 0.2.2 and all earlier releases. No specific vendor version list is supplied beyond the repository identifier, and no CNA vendor or product names are attached. Administrators should verify the exact version being deployed and confirm whether it falls within the vulnerable range. If the installation uses a newer release, the vulnerability may be mitigated by default.", "description_and_impact": "A classic SQL injection flaw exists in the reset password routine of esiclivre/esiclivre, specifically in the Solicitante::resetaSenha() method. The vulnerability is triggered by the cpfcnpj parameter in the /reset/index.php script and allows an unauthenticated attacker to manipulate SQL queries to retrieve or modify sensitive data. The flaw is a straightforward injection weakness (CWE\u201189) that can compromise confidentiality and potentially integrity of the underlying database. The description indicates that any attacker who can reach the reset endpoint can exploit the flaw without needing credentials, rendering the data exposure broadly available.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and the EPSS score under 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, further indicating limited observed exploitation. Based on the description, the likely attack vector is a remote web request to /reset/index.php with crafted cpfcnpj input, meaning that an attacker could trigger the flaw from anywhere on the internet. Exploitation requires no special conditions beyond network reach to the web service."}}}}, "created": "2026-03-25T11:48:57.410646+00:00", "title": "Unauthenticated SQL Injection Exposing Sensitive Data in esiclivre Reset Function", "updated": "2026-03-26T12:20:29.346450+00:00", "vendors": ["esiclivre", "esiclivre$PRODUCT$esiclivre"]}