Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in MOSK Information Technologies Ltd. CBS Platform allows SQL Injection.
This issue affects CBS Platform: through 09062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
AnalysisAI
Remote SQL injection in MOSK Information Technologies CBS Platform (versions through 09062026) allows unauthenticated attackers to inject arbitrary SQL commands over the network without user interaction, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The vendor confirmed to TR-CERT that the product is no longer supported, so no official fix will be issued. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
The flaw is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) issue in the CBS Platform application by MOSK Information Technologies Ltd. (CPE: cpe:2.3:a:mosk_information_technologies_ltd.:cbs_platform). Root cause is user-supplied input being concatenated into SQL queries without parameterization or proper escaping, allowing attackers to break out of the intended query context and execute attacker-controlled SQL against the backing database. Because the CVSS scope is Unchanged with C/I/A all High, the database account used by the application likely has broad privileges over its own data, enabling read, modify, and destroy operations on application data.
RemediationAI
No vendor-released patch identified at time of analysis - the vendor explicitly told TR-CERT that CBS Platform is end-of-life and unsupported, so no fix will be issued (see https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0344). The primary remediation is to migrate off CBS Platform to a supported alternative as soon as possible. Until decommissioning is complete, restrict network exposure by placing the application behind a VPN or IP allowlist so it is unreachable from the public internet (trade-off: breaks any external integrations or remote user access), deploy a Web Application Firewall with SQL injection rulesets in front of the application to filter common SQLi payloads (trade-off: WAFs can be bypassed and may break legitimate queries that resemble injection), and reduce the database account privileges used by the application to the minimum required so a successful injection cannot escalate to administrative DB actions (trade-off: may break legitimate operations and requires testing). Enable verbose query logging and monitor for SQLi indicators (UNION SELECT, sleep/benchmark, error-based payloads) to gain detection coverage in lieu of a fix.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35445
GHSA-42qw-cwf6-692f