CWE-943
Improper Neutralization of Special Elements in Data Query Logic
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
CVE-2026-41274 (GCVE-0-2026-41274)
Vulnerability from cvelistv5 – Published: 2026-04-23 21:12 – Updated: 2026-04-24 18:19
VLAI
Title
Flowise: Cypher Injection in GraphCypherQAChain
Summary
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/FlowiseAI/Flowise/security/adv… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| FlowiseAI | Flowise |
Affected:
< 3.1.0
|
|
| FlowiseAI | flowise-components |
Affected:
< 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41274",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:20:30.518456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:19:51.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Flowise",
"vendor": "FlowiseAI",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.0"
}
]
},
{
"product": "flowise-components",
"vendor": "FlowiseAI",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T21:12:51.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"
}
],
"source": {
"advisory": "GHSA-28g4-38q8-3cwc",
"discovery": "UNKNOWN"
},
"title": "Flowise: Cypher Injection in GraphCypherQAChain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41274",
"datePublished": "2026-04-23T21:12:51.627Z",
"dateReserved": "2026-04-18T14:01:46.802Z",
"dateUpdated": "2026-04-24T18:19:51.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41327 (GCVE-0-2026-41327)
Vulnerability from cvelistv5 – Published: 2026-04-24 18:27 – Updated: 2026-04-24 19:05
VLAI
Title
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
Summary
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dgraph-io/dgraph/security/advi… | x_refsource_CONFIRM |
| https://github.com/dgraph-io/dgraph/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41327",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T19:04:19.112167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T19:05:56.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dgraph",
"vendor": "dgraph-io",
"versions": [
{
"status": "affected",
"version": "\u003c 25.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:27:51.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"
},
{
"name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"
}
],
"source": {
"advisory": "GHSA-mrxx-39g5-ph77",
"discovery": "UNKNOWN"
},
"title": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41327",
"datePublished": "2026-04-24T18:27:51.477Z",
"dateReserved": "2026-04-20T14:01:46.672Z",
"dateUpdated": "2026-04-24T19:05:56.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41328 (GCVE-0-2026-41328)
Vulnerability from cvelistv5 – Published: 2026-04-24 18:25 – Updated: 2026-04-24 19:57
VLAI
Title
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
Summary
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dgraph-io/dgraph/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41328",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T19:57:33.326072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T19:57:59.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dgraph",
"vendor": "dgraph-io",
"versions": [
{
"status": "affected",
"version": "\u003c 25.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:25:43.894Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"
}
],
"source": {
"advisory": "GHSA-x92x-px7w-4gx4",
"discovery": "UNKNOWN"
},
"title": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41328",
"datePublished": "2026-04-24T18:25:43.894Z",
"dateReserved": "2026-04-20T14:01:46.672Z",
"dateUpdated": "2026-04-24T19:57:59.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41696 (GCVE-0-2026-41696)
Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-09 23:47
VLAI
Title
Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Summary
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.
Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Severity
5.9 (Medium)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Data MongoDB |
Affected:
5.0.0 , < 5.0.6
(custom)
Affected: 4.5.0 , < 4.5.12 (custom) Affected: 4.4.0 , < 4.4.15 (custom) Affected: 4.3.0 , < 4.3.17 (custom) Affected: 4.2.0 , < 4.2.16 (custom) Affected: 4.1.0 , < 4.1.15 (custom) Affected: 4.0.0 , < 4.0.16 (custom) Affected: 3.4.0 , < 3.4.20 (custom) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Data MongoDB",
"vendor": "Spring",
"versions": [
{
"lessThan": "5.0.6",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
},
{
"lessThan": "4.5.12",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
},
{
"lessThan": "4.4.15",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.3.17",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.1.15",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.0.16",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.4.20",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19."
}
],
"value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who can supply a crafted string to a @Query regex binding can break out of literal quoting, potentially exposing unauthorized data or bypassing intended query filters."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:47:37.883Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41696"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Data MongoDB Bind Parameter Literal Quoting Breakout",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41696",
"datePublished": "2026-06-09T23:47:37.883Z",
"dateReserved": "2026-04-22T06:21:22.981Z",
"dateUpdated": "2026-06-09T23:47:37.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41697 (GCVE-0-2026-41697)
Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-09 23:47
VLAI
Title
Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern
Summary
Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.
Affected versions:
Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
Severity
4.8 (Medium)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Data Relational |
Affected:
4.0.0 , < 4.0.6
(custom)
Affected: 3.5.0 , < 3.5.12 (custom) Affected: 3.4.0 , < 3.4.15 (custom) Affected: 3.3.0 , < 3.3.17 (custom) Affected: 3.2.0 , < 3.2.16 (custom) Affected: 3.1.0 , < 3.1.15 (custom) Affected: 3.0.0 , < 3.0.16 (custom) Affected: 2.4.0 , < 2.4.20 (custom) |
|
| Spring | Spring Data JDBC |
Affected:
4.0.0 , < 4.0.6
(custom)
Affected: 3.5.0 , < 3.5.12 (custom) Affected: 3.4.0 , < 3.4.15 (custom) Affected: 3.3.0 , < 3.3.17 (custom) Affected: 3.2.0 , < 3.2.16 (custom) Affected: 3.1.0 , < 3.1.15 (custom) Affected: 3.0.0 , < 3.0.16 (custom) Affected: 2.4.0 , < 2.4.20 (custom) |
|
| Spring | Spring Data R2DBC |
Affected:
4.0.0 , < 4.0.6
(custom)
Affected: 3.5.0 , < 3.5.12 (custom) Affected: 3.4.0 , < 3.4.15 (custom) Affected: 3.3.0 , < 3.3.17 (custom) Affected: 3.2.0 , < 3.2.16 (custom) Affected: 3.1.0 , < 3.1.15 (custom) Affected: 3.0.0 , < 3.0.16 (custom) Affected: 1.5.0 , < 1.5.20 (custom) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Data Relational",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.5.12",
"status": "affected",
"version": "3.5.0",
"versionType": "custom"
},
{
"lessThan": "3.4.15",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.17",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.16",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.16",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.4.20",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spring Data JDBC",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.5.12",
"status": "affected",
"version": "3.5.0",
"versionType": "custom"
},
{
"lessThan": "3.4.15",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.17",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.16",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.16",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.4.20",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spring Data R2DBC",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.5.12",
"status": "affected",
"version": "3.5.0",
"versionType": "custom"
},
{
"lessThan": "3.4.15",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.17",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.16",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.16",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "1.5.20",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.\n\nAffected versions:\nSpring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19."
}
],
"value": "Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.\n\nAffected versions:\nSpring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who can supply wildcard characters to a Query By Example probe can perform boolean-based blind data inference against the queried entity."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:47:42.091Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41697"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41697",
"datePublished": "2026-06-09T23:47:42.091Z",
"dateReserved": "2026-04-22T06:21:22.981Z",
"dateUpdated": "2026-06-09T23:47:42.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42156 (GCVE-0-2026-42156)
Vulnerability from cvelistv5 – Published: 2026-05-12 23:00 – Updated: 2026-05-13 12:07
VLAI
Title
Flowsint: Cypher query injection in node type on node creation
Summary
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/reconurge/flowsint/security/ad… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:06:52.985812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:07:00.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flowsint",
"vendor": "reconurge",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T23:00:03.440Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p"
}
],
"source": {
"advisory": "GHSA-h5m2-c2c5-968p",
"discovery": "UNKNOWN"
},
"title": "Flowsint: Cypher query injection in node type on node creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42156",
"datePublished": "2026-05-12T23:00:03.440Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-13T12:07:00.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42316 (GCVE-0-2026-42316)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:41 – Updated: 2026-05-11 17:27
VLAI
Title
KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto
Summary
kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) → "<table> | count", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) → ".show table <table> ingestion <format> mapping '<mapping>'"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal — enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Azure/kafka-sink-azure-kusto/s… | x_refsource_CONFIRM |
| https://github.com/Azure/kafka-sink-azure-kusto/p… | x_refsource_MISC |
| https://github.com/Azure/kafka-sink-azure-kusto/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Azure | kafka-sink-azure-kusto |
Affected:
< 5.2.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T17:27:18.333065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:27:23.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kafka-sink-azure-kusto",
"vendor": "Azure",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) \u2192 \"\u003ctable\u003e | count\", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) \u2192 \".show table \u003ctable\u003e ingestion \u003cformat\u003e mapping \u0027\u003cmapping\u003e\u0027\"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, \u0027) to execute arbitrary management commands in the context of the connector\u0027s service principal \u2014 enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:41:07.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Azure/kafka-sink-azure-kusto/security/advisories/GHSA-c9mr-mqvh-6wgj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Azure/kafka-sink-azure-kusto/security/advisories/GHSA-c9mr-mqvh-6wgj"
},
{
"name": "https://github.com/Azure/kafka-sink-azure-kusto/pull/155",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Azure/kafka-sink-azure-kusto/pull/155"
},
{
"name": "https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3"
}
],
"source": {
"advisory": "GHSA-c9mr-mqvh-6wgj",
"discovery": "UNKNOWN"
},
"title": "KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42316",
"datePublished": "2026-05-11T16:41:07.091Z",
"dateReserved": "2026-04-26T12:37:18.170Z",
"dateUpdated": "2026-05-11T17:27:23.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44425 (GCVE-0-2026-44425)
Vulnerability from cvelistv5 – Published: 2026-05-13 21:05 – Updated: 2026-05-14 19:52
VLAI
Title
ShellHub: Crash-DoS via field injection in filter and sort-by parameters
Summary
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/shellhub-io/shellhub/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shellhub-io | shellhub |
Affected:
< 0.24.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:04:10.929560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:09.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shellhub",
"vendor": "shellhub-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:05:07.925Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9"
}
],
"source": {
"advisory": "GHSA-47r2-v3x6-wff9",
"discovery": "UNKNOWN"
},
"title": "ShellHub: Crash-DoS via field injection in filter and sort-by parameters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44425",
"datePublished": "2026-05-13T21:05:07.925Z",
"dateReserved": "2026-05-06T14:40:00.953Z",
"dateUpdated": "2026-05-14T19:52:09.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53674 (GCVE-0-2026-53674)
Vulnerability from cvelistv5 – Published: 2026-06-09 23:44 – Updated: 2026-06-09 23:44
VLAI
Title
BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution
Summary
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
Severity
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://buddypress.org/ | product |
| https://wordpress.org/plugins/buddypress/ | product |
| https://www.vulncheck.com/advisories/buddypress-r… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BuddyPress | BuddyPress |
Affected:
0 , ≤ 14.4.0
(semver)
|
Date Public
2026-06-09 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "BuddyPress",
"vendor": "BuddyPress",
"versions": [
{
"lessThanOrEqual": "14.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*",
"versionEndIncluding": "14.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Moore - VulnCheck"
}
],
"datePublic": "2026-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:44:21.471Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"product"
],
"url": "https://buddypress.org/"
},
{
"tags": [
"product"
],
"url": "https://wordpress.org/plugins/buddypress/"
},
{
"name": "VulnCheck Advisory: BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/buddypress-regexp-injection-via-mention-username-resolution"
}
],
"title": "BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution",
"x_generator": {
"engine": "scooter"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-53674",
"datePublished": "2026-06-09T23:44:21.471Z",
"dateReserved": "2026-06-09T23:14:36.036Z",
"dateUpdated": "2026-06-09T23:44:21.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6626 (GCVE-0-2026-6626)
Vulnerability from cvelistv5 – Published: 2026-04-20 09:45 – Updated: 2026-04-20 15:23
VLAI
Title
Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection
Summary
A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358261 | vdb-entry |
| https://vuldb.com/vuln/358261/cti | signaturepermissions-required |
| https://vuldb.com/submit/792601 | third-party-advisory |
| https://github.com/NicolasPauferro/studiesofnosqli | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cockpit-HQ | Cockpit |
Affected:
2.13.0
Affected: 2.13.1 Affected: 2.13.2 Affected: 2.13.3 Affected: 2.13.4 Affected: 2.13.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6626",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T15:23:30.707150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T15:23:47.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Asset Handler/Aggregate Handler"
],
"product": "Cockpit",
"vendor": "Cockpit-HQ",
"versions": [
{
"status": "affected",
"version": "2.13.0"
},
{
"status": "affected",
"version": "2.13.1"
},
{
"status": "affected",
"version": "2.13.2"
},
{
"status": "affected",
"version": "2.13.3"
},
{
"status": "affected",
"version": "2.13.4"
},
{
"status": "affected",
"version": "2.13.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicolas Pauferro (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T09:45:12.067Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358261 | Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/358261"
},
{
"name": "VDB-358261 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358261/cti"
},
{
"name": "Submit #792601 | Cockpit-HQ Cockpit CMS 2.13.5 Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/792601"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NicolasPauferro/studiesofnosqli"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T18:48:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6626",
"datePublished": "2026-04-20T09:45:12.067Z",
"dateReserved": "2026-04-19T16:43:04.982Z",
"dateUpdated": "2026-04-20T15:23:47.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-676: NoSQL Injection
An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.