CRITICAL
brainstormforce
CVE published 2026-05-20
CVE-2026-9065
CVE-2026-9065 is a critical authenticated SQL injection vulnerability affecting SureCart versions prior to 4.2.1. The vulnerability resides in the REST API endpoint `/surecart/v1/integrations/{id}` and can be exploited through multiple parameters: `model_name`, `model_id`, `integration_id`, and `provider`. The root cause is a flawed escaping bypass in the `wp-query-builder` query builder. Values passed to [truncated]