Exploit for CVE-2026-54597

Name: Exploit for CVE-2026-54597
Rating: 5 (11 reviews)
2026-06-15 | CVSS 5.9
## https://sploitus.com/exploit?id=5ADF4FB7-C36C-5BD4-B308-4478A6465507
# CVE-2026-54597 — ITFlow Time-Based Blind SQL Injection

**Severity:** High  
**Advisory:** [GHSA-m63v-j7fw-hq2h](https://github.com/itflow-org/itflow/security/advisories/GHSA-m63v-j7fw-hq2h)  
**Affected:** ITFlow (agent/ajax.php — `expires` parameter)  
**Fixed in:** Commit [63d8691](https://github.com/itflow-org/itflow/commit/63d8691)  
**Author:** [iltosec](https://iltosec.com)

## Summary

A time-based blind SQL injection vulnerability in ITFlow's share link generation
handler. The `expires` GET parameter is passed directly into a MySQL `INTERVAL`
expression without numeric validation, allowing authenticated users to exfiltrate
arbitrary data from the database.

Full write-up: [CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow](https://iltosec.com/blog/post/CVE-2026-54597-authenticated-time-based-blind-sql-injection-in-itflow/)


## Usage

```bash
python exploit.py http://itflow.com iltosec@iltosec.com 'emsJ_;PD@@;-r>4' 1
```