Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionCVE.org
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
AnalysisAI
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
Technical ContextAI
The vulnerability affects the Wakyma veterinary management system web application, though specific version information and CPE identifiers are not provided in the available data. The root cause is CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), which occurs when applications fail to properly sanitize user input before incorporating it into NoSQL database queries. Unlike traditional SQL injection, NoSQLi exploits the query syntax of non-relational databases like MongoDB, allowing attackers to manipulate query logic through JSON injection or other NoSQL-specific techniques in the /hospitalization/generate-hospitalization-summary endpoint.
RemediationAI
Primary remediation requires patching the Wakyma application to properly sanitize and validate all user inputs before constructing NoSQL queries, though no specific patch version or vendor advisory is currently available. As immediate mitigation, implement input validation on the affected endpoint to reject special NoSQL operators and syntax, enforce strict access controls to limit who can access hospitalization features, and monitor logs for suspicious query patterns or bulk data access attempts. Consider implementing a web application firewall (WAF) with NoSQL injection detection rules as an additional defensive layer.
More in Wakyma Application Web
View allAn identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' accoun
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12393