Skip to main content

Corteza CVE-2026-6093

| EUVDEUVD-2026-29079 MEDIUM
SQL Injection (CWE-89)
2026-05-11 Fluid Attacks GHSA-fcwm-j73v-xh2m
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 18:00 vuln.today
CVSS changed
May 11, 2026 - 16:22 NVD
6.0 (MEDIUM)
CVE Published
May 11, 2026 - 14:03 nvd
MEDIUM 6.0
CVE Published
May 11, 2026 - 14:03 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Corteza contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8.

AnalysisAI

SQL injection in Corteza 2024.9.8 allows authenticated remote attackers to execute arbitrary SQL queries against the Microsoft SQL Server backend when filtering Compose records by the meta field, potentially leading to unauthorized data access or manipulation. Exploitation requires valid user credentials and attacker control over filter parameters.

Technical ContextAI

Corteza is a low-code platform that uses a backend database abstraction layer for managing Compose records. The vulnerability exists in the meta field filtering logic when deployed with Microsoft SQL Server as the database backend. The root cause is CWE-89 (SQL Injection), indicating that user-supplied input from the meta field filter is not properly sanitized or parameterized before being concatenated into SQL queries. When filtering operations construct dynamic SQL queries using unsanitized filter input, an authenticated user can inject malicious SQL syntax to alter query logic and access unintended data or execute administrative operations.

RemediationAI

Upgrade Corteza to a patched version beyond 2024.9.8 once available from the Cortezaproject maintainers (check https://github.com/cortezaproject/corteza for release notes). In the interim, restrict access to Compose record filtering functionality to trusted administrators only, and audit which user accounts have permissions to create or modify filter parameters. Review database user roles to ensure the application account used by Corteza has only minimal required permissions (least privilege) rather than administrative rights; this limits damage from successful SQL injection. Disable or restrict access to the meta field filtering feature if it is not essential to business operations, which eliminates the attack surface entirely. Monitor database query logs for suspicious SQL patterns or syntax errors that may indicate exploitation attempts.

Share

CVE-2026-6093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy