CVE-2026-42550: Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

May 6, 2026

SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys.

References

github.com/advisories/GHSA-xwqr-rcqg-22mr
github.com/flightphp/core
github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
github.com/flightphp/core/releases/tag/v3.18.1
github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr
nvd.nist.gov/vuln/detail/CVE-2026-42550

Code Behaviors & Features

Detect and mitigate CVE-2026-42550 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →