CVE-2022-26986

HIGH

ImpressCMS < 1.4.3 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-26986. PoCs published by Sarang Tumne.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in ImpressCMS v1.4.3 via the 'mimetypeid' parameter in a POST request. The payload uses a time-based blind technique (SLEEP) to confirm the vulnerability.

Description

SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

Exploits (1)

exploitdb WORKING POC
by Sarang Tumne · textwebappsphp
https://www.exploit-db.com/exploits/51056

This exploit demonstrates an authenticated SQL injection vulnerability in ImpressCMS v1.4.3 via the 'mimetypeid' parameter in a POST request. The payload uses a time-based blind technique (SLEEP) to confirm the vulnerability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: ImpressCMS v1.4.3
Auth required
Prerequisites: Admin credentials for ImpressCMS · Access to the admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.0142
EPSS Percentile 81.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
impresscms/impresscms < 1.4.3
impresscms/impresscms 0Packagist
Published Apr 05, 2022
Tracked Since Feb 18, 2026