Skip to main content

Wakyma Application Web EUVDEUVD-2026-12393

| CVE-2026-3022 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-03-16 INCIBE
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12393
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
Patch released
Mar 16, 2026 - 11:00 nvd
Patch available
CVE Published
Mar 16, 2026 - 10:11 nvd
HIGH 7.1

DescriptionCVE.org

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.

AnalysisAI

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.

Technical ContextAI

The vulnerability affects the Wakyma veterinary management system web application, though specific version information and CPE identifiers are not provided in the available data. The root cause is CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), which occurs when applications fail to properly sanitize user input before incorporating it into NoSQL database queries. Unlike traditional SQL injection, NoSQLi exploits the query syntax of non-relational databases like MongoDB, allowing attackers to manipulate query logic through JSON injection or other NoSQL-specific techniques in the /hospitalization/generate-hospitalization-summary endpoint.

RemediationAI

Primary remediation requires patching the Wakyma application to properly sanitize and validate all user inputs before constructing NoSQL queries, though no specific patch version or vendor advisory is currently available. As immediate mitigation, implement input validation on the affected endpoint to reject special NoSQL operators and syntax, enforce strict access controls to limit who can access hospitalization features, and monitor logs for suspicious query patterns or bulk data access attempts. Consider implementing a web application firewall (WAF) with NoSQL injection detection rules as an additional defensive layer.

Share

EUVD-2026-12393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy