CVE-2026-42550

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1

Description The SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() functions build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query without identifier quoting or validation. If an application passes user-controlled data shapes to these helpers, an attacker can inject arbitrary SQL by crafting malicious array keys. This can lead to privilege escalation, arbitrary column writes, data destruction, and data exfiltration.

Recommendations Update to version 3.18.1. As a temporary workaround, restrict the use of user-controlled data in the $table argument and the keys of the $data array within the SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() functions.