CVE-2026-43937— YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43937
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`
Source: NVD (National Vulnerability Database)
Vulnerability Description
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
YAFNET SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
YAFNET是YAFNET个人开发者的ASP.NET 开源论坛解决方案。 YAFNET 4.0.5之前版本存在SQL注入漏洞,该漏洞源于管理员OnPost处理程序在执行副作用后才重定向响应,可能导致低权限用户执行任意SQL。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43937
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43937
请登录查看更多情报信息。
- https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-43937
Same Patch Batch · YAFNET · 2026-05-12 · 3 CVEs total
| CVE-2026-43938 | 8.1 HIGH | YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Ag |
| CVE-2026-43939 | 7.3 HIGH | YAF.NET: Stored XSS in Forum Thread Posts/Replies Allowing Arbitrary JavaScript Execution |
IV. Related Vulnerabilities
Same weakness: CWE-89
- CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-46364
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCap - CVE-2026-46359
phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Un - CVE-2021-47966
PHP Timeclock 1.04 SQL Injection via login.php - CVE-2026-7046
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 -
V. Comments for CVE-2026-43937
No comments yet