Skip to main content

CBS Platform CVE-2026-8025

| EUVDEUVD-2026-35445 CRITICAL
SQL Injection (CWE-89)
2026-06-09 TR-CERT GHSA-42qw-cwf6-692f
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 15:47 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in MOSK Information Technologies Ltd. CBS Platform allows SQL Injection.

This issue affects CBS Platform: through 09062026.  NOTE: The vendor was contacted and it was learned that the product is not supported.

AnalysisAI

Remote SQL injection in MOSK Information Technologies CBS Platform (versions through 09062026) allows unauthenticated attackers to inject arbitrary SQL commands over the network without user interaction, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The vendor confirmed to TR-CERT that the product is no longer supported, so no official fix will be issued. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

The flaw is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) issue in the CBS Platform application by MOSK Information Technologies Ltd. (CPE: cpe:2.3:a:mosk_information_technologies_ltd.:cbs_platform). Root cause is user-supplied input being concatenated into SQL queries without parameterization or proper escaping, allowing attackers to break out of the intended query context and execute attacker-controlled SQL against the backing database. Because the CVSS scope is Unchanged with C/I/A all High, the database account used by the application likely has broad privileges over its own data, enabling read, modify, and destroy operations on application data.

RemediationAI

No vendor-released patch identified at time of analysis - the vendor explicitly told TR-CERT that CBS Platform is end-of-life and unsupported, so no fix will be issued (see https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0344). The primary remediation is to migrate off CBS Platform to a supported alternative as soon as possible. Until decommissioning is complete, restrict network exposure by placing the application behind a VPN or IP allowlist so it is unreachable from the public internet (trade-off: breaks any external integrations or remote user access), deploy a Web Application Firewall with SQL injection rulesets in front of the application to filter common SQLi payloads (trade-off: WAFs can be bypassed and may break legitimate queries that resemble injection), and reduce the database account privileges used by the application to the minimum required so a successful injection cannot escalate to administrative DB actions (trade-off: may break legitimate operations and requires testing). Enable verbose query logging and monitor for SQLi indicators (UNION SELECT, sleep/benchmark, error-based payloads) to gain detection coverage in lieu of a fix.

Share

CVE-2026-8025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy