# Security Advisory

* **Disclosure Date:** 2026-06-09
* **CVE ID:** CVE-2026-36670
* **Reporter(s):** Gabriel Lacorte
* **Vendor:** OpenSIPS
* **Product / Component:** OpenSIPS Control Panel
* **Version(s) Affected:** OpenSIPS Control Panel prior to 9.3.3
* **Attack Vector:** Remote, authenticated HTTP request
* **Privileges Required:** Authenticated user with access to the `alias_management` tool
* **CVSS:** 8.8 — Suggested: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

## Vulnerability Description

A Time-Based Blind SQL Injection vulnerability exists in the `alias_management` module of OpenSIPS Control Panel, also known as `opensips-cp`.

The vulnerability is caused by unsafe concatenation of the user-controlled `table` GET parameter into an SQL query inside `alias_management.php`. An authenticated attacker can abuse this parameter to inject SQL syntax and execute arbitrary SQL commands against the backend database.

Although traditional UNION-based or error-based SQL injection techniques may fail silently due to the use of PDO with `ERRMODE_SILENT` and a subsequent template crash, the SQL query is executed before the crash occurs. This makes time-based blind SQL injection techniques effective for extracting database information.

## Contact

For coordination, secure PoC requests, or further inquiries:
**[lacorte@posteo.com](mailto:lacorte@posteo.com)**

## References

* OpenSIPS official website: https://opensips.org/
* OpenSIPS Control Panel repository: https://github.com/OpenSIPS/opensips-cp
* CVE record: https://www.cve.org/CVERecord?id=CVE-2026-36670