Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-29861 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-29861 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-29861 is a SQL injection vulnerability in PHP-MYSQL-User-Login-System v1.0, specifically affecting the username parameter processed by the application's login.php authentication endpoint.

Technical Detail

The flaw exists because user-supplied input passed through the username field at login.php is not properly sanitized or parameterized before being incorporated into SQL queries. An unauthenticated remote attacker can craft malicious input to manipulate the underlying MySQL query logic, enabling authentication bypass, unauthorized data extraction, and potentially full database compromise. Depending on database server configuration and privilege levels, exploitation could extend to reading or writing files on the host system.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability carries a CVSS score of 9.8, meaning the attack vector is network-accessible, requires no authentication, and demands no user interaction, which lowers the barrier for exploitation significantly if the application is internet-facing.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability as of April 17, 2026.

What To Do

Organizations running PHP-MYSQL-User-Login-System v1.0 should treat this as a high-priority remediation given the critical CVSS score and unauthenticated attack surface. The immediate mitigation is to replace all direct SQL string concatenation in login.php with prepared statements and parameterized queries. If the application cannot be patched immediately, restrict access to the login endpoint via network controls or a web application firewall with SQL injection rule sets enabled. Audit database account privileges to enforce least privilege, limiting the application's database user to only the permissions required for normal operation. Monitor web server and database logs for anomalous login attempts or unexpected SQL syntax patterns in request parameters.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →