How is CVE-2026-38581 exploited?

Network reachability (required): The vulnerable endpoints are exposed over the network, so an attacker must be able to reach the application's HTTP interface to send crafted requests. Authentication (not-required): No account or credentials of any privilege level are needed; the vulnerable parameters are accessible to anonymous HTTP requests. Victim interaction (not-required): The attacker sends a malicious request directly to the server; no user action or social engineering is involved. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental prerequisites.

What is the impact of CVE-2026-38581?

Reads all data stored in the database, including user records, session tokens, and any sensitive application data. Modifies or deletes persisted database rows, enabling data tampering or full destruction of application state. Depending on database server configuration and permissions, executes operating-system commands on the host running the database. Disrupts application availability by dropping tables or corrupting data structures critical to normal operation.

Back to search

CRITICALCVE-2026-38581Published 2026-06-11Modified 2026-06-11CNA mitre

CVE-2026-38581: SQL Injection vulnerability in damasac thaipalliative_lte through version 3

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in damasac thaipalliative_lte (through version 3.0) allows a remote, unauthenticated attacker to execute arbitrary SQL commands against the underlying database. The vulnerability is reachable over the network with no authentication required, by sending crafted values in the idFormMain parameter to /substudy/ezform.php or the id parameter at line 49, both of which are concatenated directly into SQL queries without sanitization or parameterized statements. Successful exploitation gives the attacker full read, write, and deletion access to the database, which may also enable operating-system-level code execution depending on database configuration. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-38581 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle thaipalliative_lte through version 3.0.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy and routed to the appropriate team inbox based on configured severity thresholds and ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations to reduce exposure for affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoints are exposed over the network, so an attacker must be able to reach the application's HTTP interface to send crafted requests.
AuthenticationNot required
No account or credentials of any privilege level are needed; the vulnerable parameters are accessible to anonymous HTTP requests.
Victim interactionNot required
The attacker sends a malicious request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental prerequisites.

Blast Radius

Reads all data stored in the database, including user records, session tokens, and any sensitive application data.
Modifies or deletes persisted database rows, enabling data tampering or full destruction of application state.
Depending on database server configuration and permissions, executes operating-system commands on the host running the database.
Disrupts application availability by dropping tables or corrupting data structures critical to normal operation.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical SQL injection vulnerability is matched against customer images immediately on ingest. Because no upstream fix exists as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment damasac ships a remediated version. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While the fix is pending, HarborGuard's compensating-control recommendations include applying strict network-policy rules to isolate the application from untrusted clients, enabling egress filtering to limit database server exposure, and gating the affected endpoints behind an authentication layer or web application firewall rule if the application architecture permits it. Customers can configure alert routing so that any image found running thaipalliative_lte through version 3.0 is flagged immediately to the responsible team.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified