CVE-2021-26830

CRITICAL

Zenario < 8.8.53370 - SQL Injection via Plugin Library Delete Module ID Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-26830. PoCs published by Balaji Ayyasamy.

AI-analyzed exploit summary This is a technical writeup describing a blind SQL injection vulnerability in Zenario CMS 8.8.53370. It provides steps to reproduce the vulnerability using sqlmap, including authentication and request manipulation.

Description

SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.

Exploits (1)

exploitdb WRITEUP

by Balaji Ayyasamy · textwebappsphp

https://www.exploit-db.com/exploits/49642

View Code ZIP pw:eip

This is a technical writeup describing a blind SQL injection vulnerability in Zenario CMS 8.8.53370. It provides steps to reproduce the vulnerability using sqlmap, including authentication and request manipulation.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Zenario CMS 8.8.53370

Auth required

Prerequisites: Admin credentials for Zenario CMS · Access to the plugin library module

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Release Notes, Third Party Advisory x_refsource_confirm

https://github.com/TribalSystems/Zenario/releases/tag/8.8.53370

Scores

CVSS v3 9.1

EPSS 0.0093

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-89

Status published

Products (2)

tribalsystems/zenario 8.8.52729

tribalsystems/zenario 0 - 8.8.53370Packagist

Published Apr 16, 2021

Tracked Since Feb 18, 2026