Skip to main content

Java EUVDEUVD-2026-14473

| CVE-2026-4593 LOW
SQL Injection: Hibernate (CWE-564)
2026-03-23 VulDB GHSA-473j-28g3-gv2f
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 24, 2026 - 16:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
PoC Detected
Mar 24, 2026 - 15:54 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 17:15 euvd
EUVD-2026-14473
Analysis Generated
Mar 23, 2026 - 17:15 vuln.today
CVE Published
Mar 23, 2026 - 16:55 nvd
MEDIUM 6.3

DescriptionCVE.org

A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Technical ContextAI

The vulnerability resides in the EruptDataQuery.java file within the erupt-ai module, which handles data query operations through the MCP (Model Context Protocol) Tool Interface. The root cause is classified under CWE-564 (Unsafe Name Mapping), indicating improper handling of user-supplied input that gets passed directly to Hibernate ORM queries without adequate sanitization or parameterization. Erupts Erupt is a low-code/no-code rapid development framework built on Java, and the MCP Tool Interface is designed to bridge external tools with the Erupt data layer. When user input from MCP tools is passed to the EruptDataQuery function, it bypasses proper input validation and becomes part of Hibernate query construction, enabling SQL injection attacks at the database level.

RemediationAI

Immediate action requires upgrading Erupts Erupt to a patched version beyond 1.13.3 if available from the vendor, though note that the vendor has not responded to early disclosure efforts, which may complicate obtaining official patches. As an interim mitigation, restrict network access to the MCP Tool Interface to only trusted internal networks and implement strict authentication controls to limit PR:L exposure to authorized users only. Apply database-level access controls to limit the Erupt application's database user permissions to only necessary tables and operations, reducing the impact scope of successful SQL injection exploitation. Additionally, implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in requests to the EruptDataQuery endpoint, monitor database query logs for anomalous activity, and consider disabling the MCP Tool Interface entirely if it is not actively required for operations. Reference the VulDB entries at https://vuldb.com/?submit.775593 and the published exploit details at https://fx4tqqfvdw4.feishu.cn/docx/EunDdwORZoG3uzxpLykcj24mncJ?from=from_copylink for technical analysis to inform filtering rules.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-14473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy