CVE-2016-4861

CRITICAL

Fedora < 1.12.19 - SQL Injection

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4861. PoCs published by KosukeShimofuji.

AI-analyzed exploit summary This repository contains Ansible playbooks for setting up a test environment but lacks any actual exploit code or technical details related to CVE-2016-4861. It appears to be a placeholder or infrastructure setup rather than a functional PoC.

Description

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

Exploits (1)

nomisec STUB

by KosukeShimofuji · poc

https://github.com/KosukeShimofuji/CVE-2016-4861

View Code ZIP pw:eip

This repository contains Ansible playbooks for setting up a test environment but lacks any actual exploit code or technical details related to CVE-2016-4861. It appears to be a placeholder or infrastructure setup rather than a functional PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: N/A

No auth needed

Prerequisites: Ansible · Target environment setup

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8

Core References

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201804-10

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/

Mailing List mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/06/msg00012.html

Exploit, Technical Description, Vendor Advisory x_refsource_confirm

https://framework.zend.com/security/advisory/ZF2016-03

Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvndb

http://jvndb.jvn.jp/jvndb/JVNDB-2016-000158

Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvn

http://jvn.jp/en/jp/JVN18926672/index.html

Scores

CVSS v3 9.8

EPSS 0.0398

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (5)

fedoraproject/fedora 23

fedoraproject/fedora 24

fedoraproject/fedora 25

zend/zend_framework < 1.12.19

zendframework/zendframework 0 - 1.12.20Packagist

Published Feb 17, 2017

Tracked Since Feb 18, 2026