CVE-2026-49491 PUBLISHED

Pixa Bank 2.0 SQL Injection via agence-ajax.php API

Assigner: VulnCheck
Reserved: 31.05.2026 Published: 01.06.2026 Updated: 02.06.2026

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information including names, email addresses, and phone numbers from the database.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor Pixastudio
Product Pixa Bank
Versions
  • Version 2.0 is affected

Credits

  • indoushka finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE