Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5
AnalysisAI
SQL injection in Hydrosystem Control System versions before 9.8.5 allows authenticated attackers to execute arbitrary SQL commands via unprotected input parameters across multiple scripts. Exploitation requires low-privilege authentication but no user interaction, enabling attackers to compromise database confidentiality and integrity with potential for full database control. No public exploit identified at time of analysis.
Technical ContextAI
Systemic absence of input validation and parameterized query implementation across application scripts. CWE-89 SQL injection vulnerability permits direct manipulation of backend database queries through crafted input to multiple entry points. CVSS 4.0 vector indicates network-accessible attack surface requiring authenticated session.
RemediationAI
Vendor-released patch: upgrade to Hydrosystem Control System version 9.8.5 or later, which resolves the SQL injection vulnerability through implementation of input validation and parameterized queries. Organizations unable to immediately upgrade should restrict application access to trusted users only, implement web application firewall rules to detect SQL injection patterns, and enforce principle of least privilege for database service accounts. Monitor database query logs for anomalous activity. Advisory details available at https://cert.pl/posts/2026/04/CVE-2026-4901/ and vendor site https://www.hydrosystem.poznan.pl/. Prioritize patching for internet-facing deployments given network attack vector.
More in Control System
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20886
GHSA-p6w4-7rrj-xwqx