Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-41460 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-23 |
| Vendor | SocialEngine |
| Product | SocialEngine |
| CVSS Score | 9.8 (critical) |
| EPSS Score | 0.2% (percentile: 38%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.
Required Actions
Apply vendor patches as soon as possible. Until an update is deployed, block access to the /activity/index/get-memberall endpoint at the WAF layer or restrict traffic to trusted IP ranges. Review logs for suspicious requests containing SQL meta-characters in the text parameter.
Who Is Affected?
This vulnerability affects SocialEngine by SocialEngine. All deployments of the SocialEngine social-networking platform running version 7.8.0 or earlier are at risk. Check your deployed version and plan an upgrade.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
