HackerOne Disclosed Reports - 2026-01-26

Medium
resolved

SQL injection in structure plugin

Bug reported by Volkov Fedor was disclosed at January 26, 2026, 8:11 pm   |   SQL Injection

An SQL injection flaw was discovered in ExpressionEngine's Structure plugin. User input from the channel_ids parameter was passed directly into SQL queries without proper sanitization. The vulnerability required admin panel access.