CVE-2026-49491
HIGHPixa Bank 2.0 - Unauthenticated SQL Injection via 'rib' Parameter in agence-ajax.php
Title source: llmDescription
Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information including names, email addresses, and phone numbers from the database.
References (3)
Core 3
Core References
Various Sources exploit
https://packetstorm.news/files/id/220748/
Various Sources product
https://pixastudio.com/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/pixa-bank-sql-injection-via-agence-ajax-php-api
Scores
CVSS v3
8.2
EPSS
0.0034
EPSS Percentile
26.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
Pixastudio/Pixa Bank
2.0
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026