CVE-2026-42550: Flight PHP Framework SQL Injection Vulnerability

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-89
CVE-2026-42550: Flight PHP Framework SQL Injection Vulnerability

The National Vulnerability Database has issued an advisory for CVE-2026-42550, impacting the Flight extensible micro-framework for PHP. Prior to version 3.18.1, the SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() methods are vulnerable to SQL injection. These functions construct SQL statements by directly concatenating the $table argument and the keys of the $data array without proper identifier quoting or validation.

This flaw becomes critical when applications forward user-controlled data shapes to these helper functions, a common and documented pattern. An attacker can craft malicious array keys to inject arbitrary SQL, leading to severe data compromise. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH), highlighting the significant risk of compromise, integrity loss, and availability impact (CWE-89).

Flight framework users are strongly advised to update to version 3.18.1 immediately. This patch addresses the underlying issue by correctly handling identifier quoting and input validation, mitigating the risk of SQL injection via crafted array keys. Failure to update leaves systems highly exposed to data manipulation and exfiltration.

What This Means For You

  • If your applications utilize the Flight PHP micro-framework, you need to check your version immediately. Specifically, if you're using `SimplePdo::insert()`, `SimplePdo::update()`, or `SimplePdo::delete()` with user-controlled input, you are exposed to CVE-2026-42550. Patch to version 3.18.1 or later without delay. Review your codebase for instances where user input directly influences array keys passed to these database helpers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42550: Flight PHP Framework SQL Injection via Malicious Array Keys

Sigma YAML — free preview 
title: CVE-2026-42550: Flight PHP Framework SQL Injection via Malicious Array Keys
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects potential SQL injection attempts targeting the Flight PHP Framework by looking for common SQL injection patterns within the query string. This specifically targets the vulnerability where user-controlled data shapes are forwarded to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() without proper validation, allowing attackers to inject arbitrary SQL via crafted array keys.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42550/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - "' OR 1=1 --"
          - "' UNION SELECT"
          - "' AND "
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42550 SQLi Flight PHP micro-framework versions prior to 3.18.1
CVE-2026-42550 SQLi Flight PHP SimplePdo::insert() function
CVE-2026-42550 SQLi Flight PHP SimplePdo::update() function
CVE-2026-42550 SQLi Flight PHP SimplePdo::delete() function
CVE-2026-42550 SQLi SQL injection via malicious array keys in user-controlled data passed to SimplePdo methods

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection

CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...

vulnerabilityCVEcriticalhigh-severitycwe-94cwe-1336
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 5 IOCs /⚙ 7 Sigma

CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution

CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

Quark Drive Mass Assignment Flaw Grants Admin Takeover

CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...

vulnerabilityCVEhigh-severitycwe-915
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma