Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Netcad Software Inc. E-İmar allows SQL Injection.
This issue affects E-İmar: from 2.10.1.0 before 3.0.2.
AnalysisAI
SQL injection in Netcad Software's E-İmar urban planning/permit management platform (versions 2.10.1.0 through 3.0.2) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, but the disclosure by Turkey's national CERT (TR-CERT) indicates coordinated vendor notification.
Technical ContextAI
E-İmar is a Netcad Software product used by Turkish municipalities for electronic zoning, construction permit, and urban planning workflows - a regulated government-facing application that typically stores citizen identity data, parcel/cadastral records, and permit documents. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL statements without parameterization or adequate escaping. The CPE 'cpe:2.3:a:netcad_software_inc.:e-i̇mar:*:*:*:*:*:*:*:*' covers all versions, but the description narrows the impact window to 2.10.1.0 up to (but not including) 3.0.2. The specific injectable parameter, endpoint, and database backend are not disclosed in the public advisory.
RemediationAI
Vendor-released patch: upgrade E-İmar to version 3.0.2 or later, which contains the fix per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0343. Until the upgrade is deployed, restrict network exposure of the E-İmar application by placing it behind a VPN or municipal-network-only ACL (trade-off: blocks legitimate public-facing permit submissions if exposed externally), and deploy a WAF with strict SQL injection signature rules in front of the application (trade-off: signature-based detection can be bypassed via encoding and may produce false positives on parameters that legitimately contain SQL-like characters). Enable database query logging and review for anomalous UNION, sleep, or stacked-query patterns on the E-İmar database during the exposure window.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35425
GHSA-wmxv-4gxc-8g7h