Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionCVE.org
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.
AnalysisAI
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.
Technical ContextAI
The vulnerability is rooted in CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), which describes failures to properly sanitize or parameterize NoSQL queries. The affected endpoint 'vets.wakyma.com/pets/print-tags' processes POST request parameters without adequate input validation before passing them to NoSQL database queries, likely using a document database engine such as MongoDB. The lack of query parameterization or input encoding allows an attacker to inject NoSQL operator syntax (such as MongoDB query operators like $ne, $regex, or $where) directly into the query structure. This is distinct from traditional SQL injection but follows similar exploitation principles—the root cause is the failure to treat user input as data rather than executable query logic.
RemediationAI
The primary remediation is to implement input validation and parameterized NoSQL queries on the affected '/pets/print-tags' endpoint. Developers should use NoSQL query builders or ORM libraries that enforce parameterized query syntax, ensuring user input is never concatenated directly into query logic. As an immediate interim control, restrict access to the endpoint via network segmentation or IP whitelisting to only trusted internal services or administrative users until patching is completed. Additionally, implement rate limiting and anomaly detection on the endpoint to flag unusual query patterns characteristic of NoSQL injection attempts. Apply the vendor patch from Wakyma as soon as available; monitor vets.wakyma.com security advisories or contact Wakyma support for patch deployment instructions and timelines.
More in Wakyma Application Web
View allAn identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' accoun
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in t
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12395