PatchSiren cyber security CVE debrief
CVE-2021-47956 Egavilanmedia CVE debrief
CVE-2021-47956 describes an unauthenticated SQL injection in EgavilanMedia PHPCRUD 1.0. The issue affects database queries reached through the firstname parameter in a POST request to insert.php, allowing attackers to manipulate SQL and potentially extract sensitive database information.
- Vendor
- Egavilanmedia
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
Administrators, developers, and security teams responsible for EgavilanMedia PHPCRUD 1.0 or any deployment that exposes the affected insert.php workflow. Database owners should also treat this as a priority because the flaw is unauthenticated and directly impacts query integrity.
Technical summary
The NVD record and linked VulnCheck advisory identify CWE-89 (SQL Injection) in EgavilanMedia PHPCRUD 1.0. The vulnerability is triggered by attacker-controlled input in the firstname parameter, sent via POST to insert.php, where it can alter SQL queries without authentication. The provided CVSS 4.0 vector indicates network reachability with no privileges or user interaction required, and the NVD entry rates the issue 8.8 HIGH.
Defensive priority
High. Because exploitation is unauthenticated and can expose database contents, this should be treated as a near-term remediation item for any exposed instance.
Recommended defensive actions
- Identify all deployments of EgavilanMedia PHPCRUD 1.0 and determine whether insert.php is reachable from untrusted networks.
- Apply vendor-supplied fixes or upgrade to a version that explicitly addresses SQL injection in firstname handling, if available.
- Review server-side code paths that build SQL from request parameters and replace string concatenation with parameterized queries or prepared statements.
- Restrict database account privileges for the application to limit blast radius if injection is attempted.
- Add logging and alerting for abnormal POST traffic to insert.php and for unexpected SQL errors or query patterns.
- If the application is internet-facing and no fix is available, consider disabling or isolating the affected endpoint until remediation is complete.
Evidence notes
This debrief is based on the supplied NVD CVE record for CVE-2021-47956, which names CWE-89 and describes an unauthenticated SQL injection via the firstname parameter in POST requests to insert.php. The supplied source metadata also cites EgavilanMedia pages, an Exploit-DB reference, and a VulnCheck advisory as related references.
Official resources
CVE metadata in the supplied source item was published and last modified on 2026-05-16. No KEV listing was provided in the source corpus.