Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated SQL injection with no user interaction (AV:N/AC:L/PR:N/UI:N); full database read/write gives C:H/I:H/A:H within an unchanged scope.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection.
This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
AnalysisAI
SQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthenticated attackers inject arbitrary SQL commands, yielding full read/write control over the backend database. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction; no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Mediküm Web, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to genuinely high real-world exploitability where the product is deployed, but low likelihood of broad mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker discovers an internet-exposed Mediküm Web instance and submits a crafted parameter (e.g., in a login, search, or record-lookup field) containing SQL metacharacters. Because input is not sanitized, the injected clause executes against the application database, letting the attacker dump patient/user records, modify or delete data, or authenticate as an arbitrary user. … |
| Remediation | No vendor-released patch identified at time of analysis, and none is expected - the vendor confirmed to TR-CERT that Mediküm Web is end-of-life and unsupported - so the primary recommendation is to decommission or migrate off the product to a maintained alternative. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all deployed instances of Mediküm Web application and assess whether production or sensitive systems depend on them. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Medik M Web
View allReflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remot
Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to per
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42223
GHSA-g684-5gx4-77w9