Skip to main content

E-İmar CVE-2026-7486

| EUVDEUVD-2026-35425 CRITICAL
SQL Injection (CWE-89)
2026-06-09 TR-CERT GHSA-wmxv-4gxc-8g7h
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 15:01 EUVD
Analysis Generated
Jun 09, 2026 - 13:50 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Netcad Software Inc. E-İmar allows SQL Injection.

This issue affects E-İmar: from 2.10.1.0 before 3.0.2.

AnalysisAI

SQL injection in Netcad Software's E-İmar urban planning/permit management platform (versions 2.10.1.0 through 3.0.2) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, but the disclosure by Turkey's national CERT (TR-CERT) indicates coordinated vendor notification.

Technical ContextAI

E-İmar is a Netcad Software product used by Turkish municipalities for electronic zoning, construction permit, and urban planning workflows - a regulated government-facing application that typically stores citizen identity data, parcel/cadastral records, and permit documents. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL statements without parameterization or adequate escaping. The CPE 'cpe:2.3:a:netcad_software_inc.:e-i̇mar:*:*:*:*:*:*:*:*' covers all versions, but the description narrows the impact window to 2.10.1.0 up to (but not including) 3.0.2. The specific injectable parameter, endpoint, and database backend are not disclosed in the public advisory.

RemediationAI

Vendor-released patch: upgrade E-İmar to version 3.0.2 or later, which contains the fix per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0343. Until the upgrade is deployed, restrict network exposure of the E-İmar application by placing it behind a VPN or municipal-network-only ACL (trade-off: blocks legitimate public-facing permit submissions if exposed externally), and deploy a WAF with strict SQL injection signature rules in front of the application (trade-off: signature-based detection can be bypassed via encoding and may produce false positives on parameters that legitimately contain SQL-like characters). Enable database query logging and review for anomalous UNION, sleep, or stacked-query patterns on the E-İmar database during the exposure window.

Share

CVE-2026-7486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy