Skip to main content

Wakyma Application Web EUVDEUVD-2026-12395

| CVE-2026-3023 MEDIUM
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-03-16 INCIBE
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12395
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
Patch released
Mar 16, 2026 - 11:00 nvd
Patch available
CVE Published
Mar 16, 2026 - 10:12 nvd
MEDIUM 5.3

DescriptionCVE.org

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.

AnalysisAI

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.

Technical ContextAI

The vulnerability is rooted in CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), which describes failures to properly sanitize or parameterize NoSQL queries. The affected endpoint 'vets.wakyma.com/pets/print-tags' processes POST request parameters without adequate input validation before passing them to NoSQL database queries, likely using a document database engine such as MongoDB. The lack of query parameterization or input encoding allows an attacker to inject NoSQL operator syntax (such as MongoDB query operators like $ne, $regex, or $where) directly into the query structure. This is distinct from traditional SQL injection but follows similar exploitation principles—the root cause is the failure to treat user input as data rather than executable query logic.

RemediationAI

The primary remediation is to implement input validation and parameterized NoSQL queries on the affected '/pets/print-tags' endpoint. Developers should use NoSQL query builders or ORM libraries that enforce parameterized query syntax, ensuring user input is never concatenated directly into query logic. As an immediate interim control, restrict access to the endpoint via network segmentation or IP whitelisting to only trusted internal services or administrative users until patching is completed. Additionally, implement rate limiting and anomaly detection on the endpoint to flag unusual query patterns characteristic of NoSQL injection attempts. Apply the vendor patch from Wakyma as soon as available; monitor vets.wakyma.com security advisories or contact Wakyma support for patch deployment instructions and timelines.

Share

EUVD-2026-12395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy