Medium
resolved
resolved
SQL injection in structure plugin
Bug reported by Volkov Fedor was disclosed at January 26, 2026, 8:11 pm | SQL Injection
An SQL injection flaw was discovered in ExpressionEngine's Structure plugin. User input from the channel_ids parameter was passed directly into SQL queries without proper sanitization. The vulnerability required admin panel access.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
