Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges.
AnalysisAI
SQL injection in Veritas InfoScale Operations Manager (VIOM) prior to v9.1.3 enables remote, unauthenticated attackers to escalate privileges via crafted requests. The vulnerability is network-accessible with no authentication or user interaction required, and SSVC scoring confirms it is automatable, lowering the bar for mass exploitation. No public exploit or CISA KEV listing has been identified at time of analysis, but the unauthenticated attack surface and automatable classification make this a meaningful exposure for any internet-facing VIOM deployment.
Technical ContextAI
InfoScale VIOM (Operations Manager) is a web-based management interface for Veritas InfoScale storage and cluster environments. CWE-89 (SQL Injection) identifies the root cause as insufficient sanitization of user-supplied input before it is incorporated into SQL queries executed by the application backend. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerable endpoint is reachable over the network without credentials, consistent with a web application input handling flaw. The CPE data provided ('n/a:n/a') is uninformative and cannot be used to enumerate affected instances via NVD CPE search; affected version scope is derived exclusively from the CVE description ('before v9.1.3') and the vendor security bulletin referenced. The ENISA EUVD tracks this as EUVD-2026-31129.
RemediationAI
Upgrade Veritas InfoScale VIOM to version 9.1.3 or later, which is the fix boundary stated in the CVE description. The vendor security bulletin at https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080 should be consulted for official upgrade procedures and confirmation of the patched release version. An additional Veritas support document is available at https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640. If immediate patching is not feasible, restrict network access to the VIOM web interface using firewall rules or network segmentation so that only authorized management hosts can reach it - this directly addresses the AV:N attack vector and reduces automatable exploitation risk, though it does not fix the underlying SQL injection flaw. Web application firewall (WAF) rules targeting SQL injection patterns on VIOM endpoints may provide partial mitigation but should not be relied on as a primary control given that bypass techniques are well-documented.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31129
GHSA-4pj2-phc6-x4x6