PatchSiren cyber security CVE debrief
CVE-2026-38581 damasac CVE debrief
A SQL Injection vulnerability was discovered in damasac thaipalliative_lte through version 3.0. This vulnerability allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.
- Vendor
- damasac
- Product
- thaipalliative_lte
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of damasac thaipalliative_lte through version 3.0
Technical summary
The vulnerability exists due to unsanitized user input being concatenated into SQL queries. Specifically, the idFormMain parameter in /substudy/ezform.php (line 14) and the id parameter (line 49) are vulnerable. This allows remote attackers to execute arbitrary SQL commands.
Defensive priority
High
Recommended defensive actions
- Update to a version of damasac thaipalliative_lte that is not vulnerable
- Use parameterized SQL queries or prepared statements to prevent SQL injection
- Validate and sanitize user input to prevent malicious SQL commands
Evidence notes
The CVE-2026-38581 record was obtained from the official CVE database. Additional information was obtained from the following sources: [ref-4](https://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14) and [ref-5](https://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38581.md)
Official resources
CVE-2026-38581 was published on 2026-06-11T14:16:27.123Z and modified on 2026-06-11T16:16:22.620Z.