CVE-2026-41460

Name of the Vulnerable Software and Affected Versions SocialEngine versions 7.8.0 and prior

Description An issue exists in the '/activity/index/get-memberall' endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. This allows an unauthenticated remote attacker to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, which could potentially enable remote code execution.

Recommendations Update SocialEngine to a version later than 7.8.0. Avoid using the text parameter in the '/activity/index/get-memberall' endpoint until the issue is resolved.