Home

Description

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information including names, email addresses, and phone numbers from the database.

PUBLISHED Reserved 2026-05-31 | Published 2026-06-01 | Updated 2026-06-02 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

2.0
affected

Credits

indoushka finder

References

packetstorm.news/files/id/220748/ (PacketStorm-220748) exploit

pixastudio.com/ (Pixa Studio Website) product

www.vulncheck.com/...k-sql-injection-via-agence-ajax-php-api (VulnCheck Advisory: Pixa Bank 2.0 SQL Injection via agence-ajax.php API) third-party-advisory

cve.org (CVE-2026-49491)

nvd.nist.gov (CVE-2026-49491)

Download JSON