PatchSiren cyber security CVE debrief
CVE-2021-47980 Exploit Db CVE debrief
CVE-2021-47980 describes a blind SQL injection in Fuel CMS 1.4.13. An authenticated attacker can abuse the Activity Log interface by supplying crafted SQL in the 'col' parameter to influence database queries and infer information through response-time differences. The supplied sources classify this as CWE-89 and rate it high severity.
- Vendor
- Exploit Db
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
Fuel CMS administrators, application owners, and security teams operating exposed or internally reachable Fuel CMS 1.4.13 deployments should treat this as a priority. It is especially relevant where authenticated users can access the Activity Log interface.
Technical summary
The source corpus states that Fuel CMS 1.4.13 is vulnerable to blind SQL injection in the Activity Log logs endpoint via the 'col' parameter. Because the attack requires authentication, the NVD metadata reflects PR:L in its CVSS vector, but the issue still allows database query manipulation and time-based inference of database content. The weakness is mapped to CWE-89.
Defensive priority
High. Authenticated SQL injection can expose database information and is often a stepping stone to broader compromise, so affected Fuel CMS deployments should be reviewed and remediated quickly.
Recommended defensive actions
- Identify any Fuel CMS 1.4.13 instances and restrict access to the Activity Log interface to trusted administrative users only.
- Apply the vendor or project fix if available, or upgrade away from the affected release after validating release notes and change impact.
- Review the 'col' parameter handling for parameterized queries and strict server-side allowlisting rather than string concatenation.
- Monitor web and database logs for unusual Activity Log requests, repeated timing-based probing, or abnormal query patterns.
- Add compensating controls such as WAF rules, least-privilege database accounts, and segmentation around the CMS and its database.
Evidence notes
The supplied corpus directly states that Fuel CMS 1.4.13 contains a blind SQL injection through the Activity Log 'col' parameter and that authenticated attackers can infer data using response-time delays. NVD metadata in the corpus lists CWE-89 and a CVSS v4.0 vector with network reachability and low privileges required. Referenced source items include the Fuel CMS 1.4.13 archive, the Fuel CMS project site, a VulnCheck advisory, and an Exploit-DB entry. No fixed version or original disclosure date is included in the supplied material.
Official resources
The supplied CVE and source timeline metadata are all dated 2026-05-16; those timestamps are treated as source context only. The corpus does not include the original vulnerability discovery date or a confirmed remediation publication date.