Skip to content
jproxx
← Back to the blog

Security Bulletin for 5 July 2026: Critical NoSQL Injection in cve-search, OIDC Account Takeover in Keycloak and a Wave of SQL Injection in PHP Demo Applications

5 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 5 July 2026 brings no new reports for the narrower circle of WordPress, WooCommerce, Shopware and the PHP core. We therefore pick out two flaws from the wider hosting infrastructure and close by putting a striking cluster of reports in small PHP applications into context.

CVE-2026-59509 — Unauthenticated NoSQL Injection in cve-search (critical)

The open-source tool cve-search, which security teams use to search a local copy of the vulnerability database, is itself vulnerable: in versions 4.0 up to and including 6.0.0 the POST /fetch_cve_data endpoint fails to validate the parameters that select the MongoDB collection to query, the fields to return and the filter expressions to apply. Because these values flow unchecked into the database query, an attacker without any login can redirect the query away from the intended CVE data toward any other collection in the application and choose which fields are returned. This makes it possible, among other things, to read the collection holding the administrator accounts together with their password hashes; the recovered hashes can then be cracked offline, leading to takeover of the cve-search administrative account. The National Vulnerability Database assigns a CVSS score of 9.2 (CVSS 4.0), classifies the flaw as critical and assigns it to weakness class CWE-20 (improper input validation). The vulnerability is fixed in version 6.0.1, to which operators should update without delay.

Sources: National Vulnerability Database — CVE-2026-59509 · cve-search — Pull Request #1218

CVE-2026-14781 — OIDC Account Takeover in Keycloak (medium)

The widely deployed identity and login service Keycloak, which handles single sign-on for many applications, contains a flaw in login via an upstream OpenID Connect provider. When such a provider is configured with trustEmail=true and the userinfo endpoint enabled, Keycloak reads the email address from the userinfo response but reads the verification status email_verified from the id_token — without checking that both refer to the same address. If the two sources return different addresses, the “verified” status is wrongly applied to the address supplied by userinfo. A malicious or misconfigured upstream provider can thereby make an arbitrary, unverified email address appear verified. Because account linking is often keyed on a verified address, this allows an existing account to be taken over. The National Vulnerability Database assigns a CVSS score of 4.8, classifies the flaw as medium and assigns it to weakness class CWE-1288 (improper validation of consistency within input). At the time of writing no corrected version is listed. Until a fix is available, operators should avoid the combination of trustEmail=true and an enabled userinfo endpoint for providers that are not trusted, and follow the vendor’s notices.

Sources: National Vulnerability Database — CVE-2026-14781

In Context: A Wave of SQL Injection in Small PHP Demo Applications

What stands out on 5 July 2026 is less a single flaw than a pattern: within a single day, a whole series of near-identical vulnerabilities was published in small PHP learning and sample applications — for instance in a “Multi-Vendor Online Grocery Management System”, an “Internship Management System”, an “Online Examination” system and several “Hospital Management” applications from various source-code template vendors. The overwhelming majority are SQL injection (CWE-89), some exploitable without a login; in the case of the “Syllabus-Aligned Learning Management and Examination System” an unrestricted file upload (CWE-434) is added, through which a malicious script can be uploaded and executed, and for which a public proof of concept already exists. These applications all carry the version number 1.0, receive no fix and have negligible real-world deployment. Individually none of these reports is newsworthy; taken together, however, they are a useful reminder: source-code templates and tutorial projects are meant for learning, not for production. Anyone who nevertheless deploys such code should keep it strictly separated from the rest of their hosting and assume that it is not maintained.

Sources: National Vulnerability Database — CVE-2026-14690 · National Vulnerability Database — CVE-2026-14698

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.