CVE-2026-30655 identifies a SQL injection vulnerability in the esiclivre/esiclivre open-source application, specifically in the resetaSenha() method of the Solicitante class. The vulnerability arises from improper sanitization of the cpfcnpj parameter in the /reset/index.php endpoint, which is used for password reset functionality. An unauthenticated remote attacker can exploit this flaw by injecting crafted SQL statements into the cpfcnpj parameter, enabling unauthorized access to sensitive data stored in the backend database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality and integrity, allowing attackers to read or manipulate data without disrupting service availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild, indicating a window for proactive mitigation. Given the nature of the vulnerability, automated scanning and exploitation tools could be developed, increasing the risk if left unaddressed.

The SQL injection vulnerability allows attackers to bypass authentication and access sensitive information, potentially including user credentials, personal identification data, or other confidential records managed by the esiclivre application. This can lead to data breaches, privacy violations, and unauthorized data manipulation. Organizations relying on esiclivre for managing sensitive user data, especially in password reset workflows, face risks of credential compromise and data leakage. While availability is not impacted, the integrity and confidentiality of data are at risk, which can undermine trust and compliance with data protection regulations. The ease of exploitation (no authentication or user interaction required) increases the threat level, especially for publicly accessible instances. The absence of known exploits currently provides a limited window for remediation before active exploitation might emerge.

To mitigate this vulnerability, organizations should immediately review and sanitize all inputs to the resetaSenha() function, particularly the cpfcnpj parameter, using parameterized queries or prepared statements to prevent SQL injection. Applying input validation and escaping techniques is critical. If an official patch or update from the esiclivre project becomes available, it should be applied promptly. In the absence of a patch, implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting /reset/index.php can reduce risk. Additionally, restricting access to the password reset endpoint through IP whitelisting or CAPTCHA challenges may help limit automated exploitation. Regular security assessments and code audits focusing on input handling should be conducted. Monitoring logs for suspicious SQL query patterns related to cpfcnpj parameters can provide early detection of exploitation attempts.