CVE-2026-3786

MEDIUM

easycms < 1.6 - SQL Injection via _order Parameter in Request Parameter Handler

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-3786. PoCs published by XiaomingX, Mefhika120, snapdowgg.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-3786, demonstrating SQL injection leading to RCE and shell upload. The exploit targets a vulnerable endpoint in a PHP-based application (likely ThinkPHP) and includes payloads for time-based SQLi, RCE, and database name extraction.

Description

A security flaw has been discovered in EasyCMS up to 1.6. The impacted element is an unknown function of the file /RbacuserAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-3786

The repository contains a functional exploit for CVE-2026-3786, demonstrating SQL injection leading to RCE and shell upload. The exploit targets a vulnerable endpoint in a PHP-based application (likely ThinkPHP) and includes payloads for time-based SQLi, RCE, and database name extraction.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ThinkPHP (or similar PHP framework)
No auth needed
Prerequisites: Access to the vulnerable endpoint · Network connectivity to the target
devstral-2 · analyzed Mar 12, 2026 Full analysis →
nomisec WORKING POC
by Mefhika120 · poc
https://github.com/Mefhika120/CVE-2026-3786

This repository contains a functional exploit for CVE-2026-3786, demonstrating SQL injection leading to RCE via file upload and command execution. The exploit includes payloads for time-based SQLi, shell upload, and database name extraction.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ThinkPHP (likely version not specified)
No auth needed
Prerequisites: Access to the target's `/admin/rbacuser/index` endpoint
devstral-2 · analyzed Apr 16, 2026 Full analysis →
nomisec WORKING POC
by snapdowgg · poc
https://github.com/snapdowgg/CVE-2026-3786

The repository contains a functional exploit for CVE-2026-3786, demonstrating SQL injection leading to RCE via command injection in the `_order` parameter of an admin endpoint. It includes shell upload, database name extraction, and RCE testing capabilities.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ThinkPHP-based applications (likely a specific CMS or framework)
Auth required
Prerequisites: Access to `/index.php?s=/admin/rbacuser/index` endpoint · Valid session or authentication to admin panel
devstral-2 · analyzed Mar 12, 2026 Full analysis →

References (4)

Core 4
Core References
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.349753
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.349753
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.766141
Issue Tracking exploit issue-tracking
https://github.com/ueh1013/VULN/issues/20

Scores

CVSS v3 6.3
EPSS 0.0028
EPSS Percentile 19.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-74 CWE-89
Status published
Products (1)
easycms/easycms < 1.6
Published Mar 08, 2026
Tracked Since Mar 09, 2026