CVE-2021-47766

HIGH

Kmaleon 1.1.0.205 - Authenticated SQL Injection via tipocomb Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47766. PoCs published by Amel BOUZIANE-LEBLOND.

AI-analyzed exploit summary The exploit demonstrates SQL injection in Kmaleon 1.1.0.205 via the 'tipocomb' parameter, with payloads for boolean-based blind, error-based, and time-based blind attacks. It confirms MySQL as the backend DBMS and provides specific payloads for exploitation.

Description

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.

Exploits (1)

exploitdb WORKING POC
by Amel BOUZIANE-LEBLOND · textwebappsphp
https://www.exploit-db.com/exploits/50499

The exploit demonstrates SQL injection in Kmaleon 1.1.0.205 via the 'tipocomb' parameter, with payloads for boolean-based blind, error-based, and time-based blind attacks. It confirms MySQL as the backend DBMS and provides specific payloads for exploitation.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Kmaleon v1.1.0.205
Auth required
Prerequisites: Authenticated access to the application · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.1
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Jan 15, 2026
Tracked Since Feb 18, 2026