Skip to main content

Wakyma Application Web CVE-2026-3021

| EUVDEUVD-2026-12391 MEDIUM
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-03-16 INCIBE
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12391
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
Patch released
Mar 16, 2026 - 11:00 nvd
Patch available
CVE Published
Mar 16, 2026 - 10:11 nvd
MEDIUM 6.5

DescriptionCVE.org

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.

AnalysisAI

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.

Technical ContextAI

The vulnerability is classified as CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) which occurs when user-supplied input is not properly sanitized before being used in NoSQL database queries. The Wakyma web application, which appears to be a veterinary practice management system based on the endpoint path, fails to validate GET request parameters at the employee endpoint. This allows injection of NoSQL query operators that can bypass intended access controls and retrieve unauthorized data from the underlying non-relational database. No specific CPE identifiers are available to precisely identify the affected product versions.

RemediationAI

No patch information or vendor advisory is currently available for CVE-2026-3021. Organizations using the Wakyma web application should contact the vendor for security updates and monitor for patch releases. As immediate mitigation, implement strict input validation and parameterized queries for all database operations at the affected endpoint, enforce the principle of least privilege for authenticated users, and monitor for suspicious query patterns in application logs that may indicate exploitation attempts.

Share

CVE-2026-3021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy