Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated SQL injection over the network (AV:N/AC:L/PR:N/UI:N) grants full database read/write, so C:H/I:H/A:H; scope unchanged as impact stays within the database system.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows SQL Injection.
This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no special conditions - remote unauthenticated exploitation over the network against MobilMen 20T versions v3 through 10072026, requiring no authentication and no user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals partly align and partly conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the MobilMen 20T application over the network submits a crafted value into a vulnerable parameter (e.g., a login, search, or product-lookup field), breaking out of the intended SQL query to dump the entire database - pricing, transaction and customer data - or to modify records. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, no authentication or user interaction is required and the attack is easily scripted; no public proof-of-concept has been identified, so exploitation would require an attacker to develop the injection independently. |
| Remediation | No vendor-released patch identified at time of analysis - the vendor was contacted early but did not respond, so no fixed version number exists to cite. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Restrict all MobilMen 20T instances to private network access only; disable internet-facing exposure; enable database connection logging and configure alerts for unusual queries. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mobilmen 20T
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42965
GHSA-r958-fxrc-p879