SQL injection in Ncvav Virtual PBX Software versions prior to 09.07.2025 allows remote unauthenticated attackers to manipulate backend database queries, leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Turkey's national CSIRT (USOM) and carries a critical CVSS 9.8 score, though no public exploit identified at time of analysis and no EPSS data is currently available.
SQLi
NVD
VulDB
CVSS 3.1
9.8
EPSS
0.2%