EUVD-2026-14475
GHSA-8fx2-x558-87xq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Erupt framework versions ≤1.13.3 and isolate them or disable internet-facing access; implement emergency WAF rules to block malicious sort.field parameters. Within 7 days: Deploy network segmentation to restrict access to affected systems; conduct forensic logs review for signs of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today