Skip to main content

Control System CVE-2026-34185

| EUVDEUVD-2026-20886 HIGH
SQL Injection (CWE-89)
2026-04-09 CERT-PL GHSA-p6w4-7rrj-xwqx
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 17:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:00 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
9.8.5
EUVD ID Assigned
Apr 09, 2026 - 10:00 euvd
EUVD-2026-20886
Analysis Generated
Apr 09, 2026 - 10:00 vuln.today
CVE Published
Apr 09, 2026 - 09:41 nvd
HIGH 8.7

DescriptionCVE.org

Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5

AnalysisAI

SQL injection in Hydrosystem Control System versions before 9.8.5 allows authenticated attackers to execute arbitrary SQL commands via unprotected input parameters across multiple scripts. Exploitation requires low-privilege authentication but no user interaction, enabling attackers to compromise database confidentiality and integrity with potential for full database control. No public exploit identified at time of analysis.

Technical ContextAI

Systemic absence of input validation and parameterized query implementation across application scripts. CWE-89 SQL injection vulnerability permits direct manipulation of backend database queries through crafted input to multiple entry points. CVSS 4.0 vector indicates network-accessible attack surface requiring authenticated session.

RemediationAI

Vendor-released patch: upgrade to Hydrosystem Control System version 9.8.5 or later, which resolves the SQL injection vulnerability through implementation of input validation and parameterized queries. Organizations unable to immediately upgrade should restrict application access to trusted users only, implement web application firewall rules to detect SQL injection patterns, and enforce principle of least privilege for database service accounts. Monitor database query logs for anomalous activity. Advisory details available at https://cert.pl/posts/2026/04/CVE-2026-4901/ and vendor site https://www.hydrosystem.poznan.pl/. Prioritize patching for internet-facing deployments given network attack vector.

Share

CVE-2026-34185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy