CVE-2026-38739: ezsystems/ezpublish-legacy has a SQL injection in dfscleanup

May 29, 2026

NB: All tags and branches in this repository are past their end of life, so the vulnerability will not be fixed. The advisory is posted on the request of the researcher, for the information of anyone who might still use this software.

References

github.com/advisories/GHSA-xg9x-h37w-h3r3
github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-xg9x-h37w-h3r3
nvd.nist.gov/vuln/detail/CVE-2026-38739

Code Behaviors & Features

Detect and mitigate CVE-2026-38739 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →