Search criteria Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

1 vulnerability by Umami Software application

CVE-2026-4317 (GCVE-0-2026-4317)

Vulnerability from cvelistv5 – Published: 2026-03-31 09:53 – Updated: 2026-03-31 18:04
VLAI?
Title
SQL inyection in Umami Software application
Summary
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H
CWE
  • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
Impacted products
Vendor Product Version
Umami Software application Umami Software Affected: 3.0.2 (custom)
Create a notification for this product.
Credits
Hector Ruiz Ruiz & NaxusAI
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4317",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T14:59:51.884246Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T18:04:01.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Umami Software",
          "vendor": "Umami Software application",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:umami_software_application:umami_software:3.0.2:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hector Ruiz Ruiz \u0026 NaxusAI"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the \u0027timezone\u0027 request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as \u0027prisma.rawQuery\u0027, \u0027prisma.$queryRawUnsafe\u0027 or raw queries with \u0027ClickHouse\u0027). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions."
            }
          ],
          "value": "SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the \u0027timezone\u0027 request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as \u0027prisma.rawQuery\u0027, \u0027prisma.$queryRawUnsafe\u0027 or raw queries with \u0027ClickHouse\u0027). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T09:53:26.180Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-inyection-umami-software-application"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability has been fixed by Umami Software team in version 3.0.3."
            }
          ],
          "value": "The vulnerability has been fixed by Umami Software team in version 3.0.3."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SQL inyection in Umami Software application",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2026-4317",
    "datePublished": "2026-03-31T09:53:26.180Z",
    "dateReserved": "2026-03-17T09:27:25.828Z",
    "dateUpdated": "2026-03-31T18:04:01.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}