CVE-2026-6982

Summary

A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0. Affected by this vulnerability is an unknown functionality of the file server/Application/Api/Controller/PageController.class.PHP of the component API Page Sort Endpoint. Executing a manipulation of the argument pages can lead to sql injection. The attack may be launched remotely. Upgrading to version 3.8.1 addresses this issue. It is suggested to upgrade the affected component. According to the researcher, "[t]he vendor explicitly stated they will not backport patches to the older affected versions."

Affected Software

VendorProductVersion RangeStatus
star7thShowDoc2.10.0affected
star7thShowDoc2.10.1affected
star7thShowDoc2.10.2affected
star7thShowDoc2.10.3affected
star7thShowDoc2.10.4affected
star7thShowDoc2.10.5affected
star7thShowDoc2.10.6affected
star7thShowDoc2.10.7affected
star7thShowDoc2.10.8affected
star7thShowDoc2.10.9affected
star7thShowDoc2.10.10affected
star7thShowDoc3.0affected
star7thShowDoc3.1affected
star7thShowDoc3.2affected
star7thShowDoc3.3affected
star7thShowDoc3.4affected
star7thShowDoc3.5affected
star7thShowDoc3.6affected
star7thShowDoc3.6.0affected
star7thShowDoc3.6.1affected
star7thShowDoc3.6.2affected
star7thShowDoc3.7affected
star7thShowDoc3.8.0affected
star7thShowDoc3.8.1unaffected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References