+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-01-26 (/Thread-HackerOne-Disclosed-Reports-2026-01-26)
HackerOne disclosed reports - 2026-01-26 - hashXploiter - 01-27-2026
Medium
resolved
resolved
SQL injection in structure plugin
Bug reported by Volkov Fedor was disclosed at January 26, 2026, 8:11 pm | SQL Injection
An SQL injection flaw was discovered in ExpressionEngine's Structure plugin. User input from the channel_ids parameter was passed directly into SQL queries without proper sanitization. The vulnerability required admin panel access.