Skip to content

Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

High severity GitHub Reviewed Published Apr 29, 2026 in flightphp/core • Updated May 6, 2026

Package

composer flightphp/core (Composer)

Affected versions

< 3.18.1

Patched versions

3.18.1

Description

Summary

SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys.

Affected code

flight/database/SimplePdo.php:

// insert (≈ 320-373)
$sql = sprintf(
    "INSERT INTO %s (%s) VALUES (%s)",
    $table,                            // raw concat
    implode(', ', $columns),           // raw array_keys($data)
    implode(', ', $placeholders)
);

// update (≈ 397-409)
$sets[] = "$column = ?";               // $column = user-controlled key
$sql = sprintf(
    "UPDATE %s SET %s WHERE %s",
    $table,                            // raw
    implode(', ', $sets),
    $where
);

// delete (≈ 427-429)
$sql = "DELETE FROM $table WHERE $where";

No identifier-quoting helper exists; neither $table nor the data keys are validated against a safe-identifier pattern.

Proof of concept

A controller does:

$db->insert('users', $request->data->getData());

The attacker sends the JSON body:

{"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}

Generated SQL:

INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)

After the -- comment, the effective statement INSERT INTO users (name, is_admin) VALUES (?, 1) binds the single placeholder 'attacker_injected', yielding a row with is_admin = 1.

Reproduced live on an in-memory sqlite database (testproj/sqli_live2.php):

id=1  name=alice              is_admin=0
id=2  name=attacker_injected  is_admin=1   <-- injected insert

UPDATE injection via the $where parameter was also reproduced: $db->update('users', ['is_admin' => 1], "id = 1 OR 1=1") flips admin on every row.

Impact

  • Privilege escalation on any signup / register endpoint that forwards request data to insert() (attacker creates an administrative account in a single request).
  • Arbitrary column write through update() keys.
  • Data destruction and exfiltration through the $where parameter (DELETE FROM users WHERE 1=1, UNION-based exfil, etc.).

Patch (fixed in 3.18.1, commit b8dd23a)

A new requireSafeIdentifier() helper validates table names and column names against ^[A-Za-z_][A-Za-z0-9_]*$ before they are interpolated into the SQL string. The $where parameter remains raw SQL as documented — parameterized values passed alongside it continue to be bound safely.

Credit

Discovered by @Rootingg.

References

@n0nag0n n0nag0n published to flightphp/core Apr 29, 2026
Published to the GitHub Advisory Database May 6, 2026
Reviewed May 6, 2026
Last updated May 6, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2026-42550

GHSA ID

GHSA-xwqr-rcqg-22mr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.