SQL Injection in damasac thaipalliative_lte through version 3.0 (CVE-2026-38581)

critical-cve-against-dependency · active

A SQL injection vulnerability in the thaipalliative_lte application (through version 3.0) lets remote attackers run arbitrary SQL commands via unsanitized parameters in /substudy/ezform.php. User input is concatenated directly into SQL queries without parameterization.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-vvmc-8xvf-rg7j
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-38581
• ghsahttps://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14
• ghsahttps://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38581.md