Skip to content
Hermes Codex

CVE-2026-6490: QueryMine SMS SQL Injection

Executive Summary

Section titled “Executive Summary”

The QueryMine SMS PHP project is affected by a critical vulnerability, identified as CVE-2026-6490. This vulnerability allows an unauthenticated remote attacker to perform SQLi and unauthorized data modification. The flaw resides in the admin/deletecourse.php endpoint, which fails to enforce authentication or sanitize user-supplied input before executing database operations.

Technical Analysis

Section titled “Technical Analysis”

The application architecture utilizes a simple PHP-based backend for SMS management. My analysis of the admin/deletecourse.php file reveals a severe implementation flaw in the core logic.

Authentication Bypass

Section titled “Authentication Bypass”

The administrative endpoint lacks any form of session validation. The application does not check for the presence or validity of a session cookie or administrative role permissions. Consequently, any request directed at this file is processed by the server regardless of the initiator’s authentication state.

Input Sanitization Failure

Section titled “Input Sanitization Failure”

The vulnerability is rooted in the handling of the id GET parameter:

$get_course_id = $_GET['id'];
DELETE FROM course WHERE course_id='$get_course_id'

The script retrieves the id directly from the URL parameter and concatenates it into the SQL query string. There is no input sanitization, filtering, or the use of prepared statements. This pattern permits an attacker to inject arbitrary SQL commands. While the current implementation facilitates simple unauthorized deletion, the potential impact extends to full database manipulation, including data exfiltration or unauthorized administrative account creation.

Exploitation Scenario

Section titled “Exploitation Scenario”

The exploitation process is straightforward. An attacker only requires network access to the target web server.

  1. Identify the target URL hosting the QueryMine SMS system.
  2. Construct a malicious GET request targeting admin/deletecourse.php.
  3. Append the desired course id to the id parameter.
  4. Observe the server’s response; a successful exploitation results in a redirect, though the database operation completes immediately.

Example of a benign deletion request: GET /admin/deletecourse.php?id=59 HTTP/1.1

Forensic Indicators

Section titled “Forensic Indicators”

Security teams should focus on web access logs to identify anomalous behavior related to this vulnerability.

Sigma Detection Rule

Section titled “Sigma Detection Rule”
title: QueryMine SMS SQL Injection and Unauthorized Access
status: experimental
description: Detects exploitation of CVE-2026-6490 via unauthorized course deletion.
logsource:
  category: web
detection:
  selection:
    uri|endswith: /admin/deletecourse.php
    params|contains: id=
  condition: selection

Remediation

Section titled “Remediation”

The vendor has not provided an official patch for this rolling-release project. Organizations deploying QueryMine SMS should take immediate action to secure the implementation:

  1. Implement Authentication: Add mandatory session verification to all files within the admin/ directory.
  2. Use Prepared Statements: Replace raw SQL concatenation with PDO or MySQLi prepared statements to prevent injection.
  3. Restrict Access: Restrict access to the admin/ directory via server-level configurations (e.g., .htaccess or Nginx location blocks) to authorized network segments or VPN IPs only.