Skip to main content

Sunnet CTMS CVE-2026-7489

| EUVDEUVD-2026-26769 HIGH
SQL Injection (CWE-89)
2026-05-02 twcert
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 02, 2026 - 10:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 02, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 02, 2026 - 10:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
May 02, 2026 - 10:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 09:30 euvd
EUVD-2026-26769
Analysis Generated
May 02, 2026 - 09:30 vuln.today
CVE Published
May 02, 2026 - 09:02 nvd
HIGH 8.7

DescriptionCVE.org

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

AnalysisAI

SQL injection in Sunnet CTMS allows authenticated remote attackers with low privileges to execute arbitrary SQL commands over the network. The vulnerability enables complete compromise of database integrity - reading sensitive data, modifying records, and deleting information. Taiwan CERT (TWCERT) published advisories documenting this vulnerability, indicating coordinated disclosure. EPSS and KEV data not available; exploitation status unknown beyond vendor notification.

Technical ContextAI

CTMS (Clinical Trial Management System) by Sunnet contains a CWE-89 SQL injection flaw in its database interaction layer. The affected component fails to properly sanitize user-supplied input before incorporating it into SQL queries. Based on the CPE string cpe:2.3:a:sunnet:ctms, this affects Sunnet's CTMS product across unspecified versions. SQL injection vulnerabilities occur when applications concatenate untrusted input directly into SQL statements rather than using parameterized queries or prepared statements. The CVSS 4.0 vector shows network accessibility (AV:N), low attack complexity (AC:L), and requires low-privilege authentication (PR:L), indicating the vulnerable functionality is exposed to authenticated users through the application's normal network interface.

RemediationAI

Consult TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html for vendor-specific patch information and upgrade instructions; exact patched version not identified in current intelligence. Until vendor patches are applied, implement compensating controls: restrict CTMS access to authenticated users via VPN or IP allowlisting to reduce attack surface from network-based threats; enable database query logging and implement anomaly detection for unusual SQL patterns (large result sets, UNION queries, time delays indicating blind SQLi); apply web application firewall rules to detect and block common SQL injection payloads in HTTP parameters, though this provides defense-in-depth only and may cause false positives with legitimate complex queries; enforce principle of least privilege for database accounts used by the CTMS application to limit potential data exposure from successful exploitation. Note that authentication-based restrictions provide limited protection since the vulnerability requires authenticated access already.

Share

CVE-2026-7489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy