CRITICAL
damasac
CVE published 2026-06-11
CVE-2026-38581
A SQL Injection vulnerability was discovered in damasac thaipalliative_lte through version 3.0. This vulnerability allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.