CVE-2018-3754

HIGH

Query-mysql - SQL Injection

Title source: rule

Description

Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.

Exploits (1)

github NO CODE

by bl4de · poc

https://github.com/bl4de/CVEs/tree/master/CVE-2018-3754

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://hackerone.com/reports/311244

Scores

CVSS v3 8.8

EPSS 0.0024

EPSS Percentile 46.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (4)

npm/query-mysql 0npm

query-mysql_project/query-mysql 0.0.0

query-mysql_project/query-mysql 0.0.1

query-mysql_project/query-mysql 0.0.2

Published Jul 03, 2018

Tracked Since Feb 18, 2026