## https://sploitus.com/exploit?id=1E3DE00B-953D-5D10-9EA1-764534FCBE4E
# CVE-2026-36826: SQL Injection in genesisQL <= 1.1.1
## Summary
genesisQL 1.1.1 is vulnerable to SQL Injection in the `checkPassword`
function. User-supplied `username` and `password` fields are
interpolated directly into the SQL query string without
parameterization, allowing unauthenticated SQL injection and
authentication bypass via the login form.
## Affected Product
- **Vendor**: Open Source Labs
- **Product**: genesisQL
- **Version**: 1.1.1 (and possibly earlier)
## Vulnerability Details
**CWE-89**: Improper Neutralization of Special Elements used in an SQL Command
File: `server/utils/userController.js`
\`\`\`javascript
function checkPassword (req, res, next){
const { username, password } = req.body;
const text = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;
}
\`\`\`
## Impact
Authentication bypass via SQL injection in login form (unauthenticated, remote).
## Disclosure Timeline
- [дата]: Reported to vendor via [метод]
- [дата + ~6 months]: No response from vendor
- 2026-06-05: CVE-2026-36826 assigned by MITRE
- [дата]: Public disclosure
## Discoverers
- Tulkin Urinbaev
- Vladyslav Koniakhin
## Reference
- https://github.com/oslabs-beta/genesisQL/blob/main/server/utils/userController.js
## Remediation
Use parameterized queries / prepared statements instead of string interpolation.