CVE-2026-42550
Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers โ a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) โ an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.
| CWE | CWE-89 |
| Vendor | flightphp |
| Product | core |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for flightphp core
Be the first to know when new high vulnerabilities affecting flightphp core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
flightphp / core
< 3.18.1