Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
AnalysisAI
SQL injection in Sunnet CTMS allows authenticated remote attackers with low privileges to execute arbitrary SQL commands over the network. The vulnerability enables complete compromise of database integrity - reading sensitive data, modifying records, and deleting information. Taiwan CERT (TWCERT) published advisories documenting this vulnerability, indicating coordinated disclosure. EPSS and KEV data not available; exploitation status unknown beyond vendor notification.
Technical ContextAI
CTMS (Clinical Trial Management System) by Sunnet contains a CWE-89 SQL injection flaw in its database interaction layer. The affected component fails to properly sanitize user-supplied input before incorporating it into SQL queries. Based on the CPE string cpe:2.3:a:sunnet:ctms, this affects Sunnet's CTMS product across unspecified versions. SQL injection vulnerabilities occur when applications concatenate untrusted input directly into SQL statements rather than using parameterized queries or prepared statements. The CVSS 4.0 vector shows network accessibility (AV:N), low attack complexity (AC:L), and requires low-privilege authentication (PR:L), indicating the vulnerable functionality is exposed to authenticated users through the application's normal network interface.
RemediationAI
Consult TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html for vendor-specific patch information and upgrade instructions; exact patched version not identified in current intelligence. Until vendor patches are applied, implement compensating controls: restrict CTMS access to authenticated users via VPN or IP allowlisting to reduce attack surface from network-based threats; enable database query logging and implement anomaly detection for unusual SQL patterns (large result sets, UNION queries, time delays indicating blind SQLi); apply web application firewall rules to detect and block common SQL injection payloads in HTTP parameters, though this provides defense-in-depth only and may cause false positives with legitimate complex queries; enforce principle of least privilege for database accounts used by the CTMS application to limit potential data exposure from successful exploitation. Note that authentication-based restrictions provide limited protection since the vulnerability requires authenticated access already.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26769