CVE-2026-30655 is a SQL injection vulnerability identified in the esiclivre/esiclivre open-source project, specifically in version 0.2.2 and earlier. The vulnerability resides in the resetaSenha() method of the Solicitante class, which handles password reset functionality. The issue arises from improper sanitization or validation of the cpfcnpj parameter submitted to the /reset/index.php endpoint. An attacker can craft malicious input to manipulate the underlying SQL query, bypassing authentication controls and extracting sensitive data from the database. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 6.5 reflects the ease of exploitation (low attack complexity), no privileges required, and no user interaction needed, but with limited impact on availability. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). No official patches or fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. However, the presence of this vulnerability in a password reset function is critical because it can lead to unauthorized disclosure of user credentials or other sensitive information, potentially facilitating further attacks such as account takeover or privilege escalation.

The primary impact of CVE-2026-30655 is unauthorized disclosure of sensitive information due to SQL injection in a password reset mechanism. This can lead to leakage of user data such as personally identifiable information (PII), credentials, or other confidential database contents. Organizations using affected versions of esiclivre risk data breaches, loss of user trust, and potential regulatory penalties depending on the nature of the exposed data. While the vulnerability does not directly affect system availability, the compromise of confidentiality and integrity can enable attackers to perform further malicious activities, including account hijacking or lateral movement within the environment. Since the vulnerability requires no authentication and no user interaction, it can be exploited by remote attackers with minimal effort, increasing the risk profile. The lack of known exploits in the wild suggests limited current active exploitation, but the vulnerability remains a significant threat if left unaddressed.

To mitigate CVE-2026-30655, organizations should first check for and apply any available patches or updates from the esiclivre project as soon as they are released. In the absence of official patches, immediate mitigation steps include implementing input validation and parameterized queries or prepared statements for the cpfcnpj parameter to prevent SQL injection. Web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting the /reset/index.php endpoint. Additionally, monitoring and logging access to the password reset functionality should be enhanced to detect suspicious activity. Restricting access to the reset endpoint by IP whitelisting or rate limiting can reduce exposure. Conducting a thorough security review of related password reset and authentication mechanisms is recommended to identify and remediate similar vulnerabilities. Finally, educating developers on secure coding practices and regular security testing will help prevent recurrence.