Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.
AnalysisAI
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.
Technical ContextAI
The vulnerability is classified as CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) which occurs when user-supplied input is not properly sanitized before being used in NoSQL database queries. The Wakyma web application, which appears to be a veterinary practice management system based on the endpoint path, fails to validate GET request parameters at the employee endpoint. This allows injection of NoSQL query operators that can bypass intended access controls and retrieve unauthorized data from the underlying non-relational database. No specific CPE identifiers are available to precisely identify the affected product versions.
RemediationAI
No patch information or vendor advisory is currently available for CVE-2026-3021. Organizations using the Wakyma web application should contact the vendor for security updates and monitor for patch releases. As immediate mitigation, implement strict input validation and parameterized queries for all database operations at the affected endpoint, enforce the principle of least privilege for authenticated users, and monitor for suspicious query patterns in application logs that may indicate exploitation attempts.
More in Wakyma Application Web
View allAn identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' accoun
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in t
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12391