How is CVE-2026-49491 exploited?

Network reachability (required): The agence-ajax.php endpoint must be reachable over the network; the attacker sends crafted POST requests directly to the exposed service. Authentication (not-required): No credentials are needed; the vulnerable parameter is accessible to unauthenticated requests. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server endpoint without any involvement from a logged-in user. Attack complexity (info): Exploitation is reliable and condition-free; crafting a UNION-based SQL payload against a known parameter requires no special timing or environmental setup.

What is the impact of CVE-2026-49491?

Reads stored user records including full names, email addresses, and phone numbers from the database via UNION-based SQL extraction. Allows enumeration of database structure, which may expose additional tables and columns beyond the ones described in the advisory. Low integrity impact means an attacker may be able to write or manipulate limited data within the scope of the injectable query.

Back to search

HIGHCVE-2026-49491Published 2026-06-01Modified 2026-06-02CNA VulnCheck

CVE-2026-49491: Pixa Bank 2.0 SQL Injection via agence-ajax.php API

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information including names, email addresses, and phone numbers from the database.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in Pixa Bank 2.0 allows unauthenticated attackers to extract sensitive data from the application database by sending crafted POST requests to the agence-ajax.php endpoint. The vulnerability is reachable over the network and requires no credentials or user interaction, making it straightforward to exploit at scale. Successful exploitation reads stored user records including names, email addresses, and phone numbers. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-49491 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Pixa Bank 2.0. Any image found to contain an affected version is flagged immediately.

Available

Triage

HarborGuard scores this vulnerability at CVSS 8.8 (HIGH) and surfaces it with that weighting applied against each customer's compliance policy. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix is available for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. In the interim, compensating controls are available as described below.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The agence-ajax.php endpoint must be reachable over the network; the attacker sends crafted POST requests directly to the exposed service.
AuthenticationNot required
No credentials are needed; the vulnerable parameter is accessible to unauthenticated requests.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server endpoint without any involvement from a logged-in user.
Attack complexityDetail
Exploitation is reliable and condition-free; crafting a UNION-based SQL payload against a known parameter requires no special timing or environmental setup.

Blast Radius

Reads stored user records including full names, email addresses, and phone numbers from the database via UNION-based SQL extraction.
Allows enumeration of database structure, which may expose additional tables and columns beyond the ones described in the advisory.
Low integrity impact means an attacker may be able to write or manipulate limited data within the scope of the injectable query.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer scanning pipelines, matched against every image that includes Pixa Bank 2.0. Because no upstream fix has been published, HarborGuard monitors the advisory on each ingest cycle and will automatically make a patched-image rebuild available, and for customers with auto-remediation enabled, trigger a rebuild plus regression run plus a PR against affected workloads, as soon as an upstream patch is released. While no fix exists, compensating controls worth considering include network-policy isolation to restrict access to agence-ajax.php to trusted source IPs only, egress filtering to limit what the database process can reach, and a web application firewall rule targeting UNION-based SQL patterns on the rib parameter. Customers can configure HarborGuard policy alerts to notify their team the moment a fix version is published and a rebuild becomes available.

See how HarborGuard automates this

Affected packages

Pixastudio / Pixa Bank
2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified