esiclivre 0.2.2 SQL Injection

2026.03.26

Credit: Bryan

Risk: Medium

Local: Yes

Remote: Yes

CVE: N/A

CWE: N/A

# CVE-2026-30655 — SQL Injection in esiclivre (password reset)

## Summary
A SQL injection vulnerability exists in the password reset endpoint of esiclivre. An unauthenticated attacker can inject SQL via the `cpfcnpj` POST parameter, potentially resulting in unauthorized access to sensitive information.

## Affected Project
- Repository: https://github.com/esiclivre/esiclivre
- Affected versions: v0.2.2 and earlier
- Affected commit: up to and including 0a72b4c9ab89244ec3bd3d7fa0b765850cc9afd7

## Technical Details
- Endpoint: `POST /reset/index.php`
- Parameter: `cpfcnpj`
- Root cause: user input is concatenated into a SQL query in `Solicitante::resetaSenha()` without parameterization.

## Impact
- Potential unauthorized access to sensitive database information (information disclosure).

## Mitigation / Fix
No upstream fix is available at the time of publication.
Recommended remediation:
- Use parameterized queries (prepared statements) for database access.
- Validate and sanitize user input.
- Consider temporarily restricting access to the password reset endpoint until patched.

## Timeline
- 2025-04-12: Reported to vendor/maintainers
- 2026-02-09: CVE request submitted
- 2026-03-23: CVE-2026-30655 assigned

## Credits
Discovered by Bryan Romero (https://github.com/brynax).

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

esiclivre 0.2.2 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.