Skip to main content

InfoScale VIOM EUVDEUVD-2026-31129

| CVE-2026-44923 MEDIUM
SQL Injection (CWE-89)
2026-05-20 mitre GHSA-4pj2-phc6-x4x6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 20:22 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
May 20, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges.

AnalysisAI

SQL injection in Veritas InfoScale Operations Manager (VIOM) prior to v9.1.3 enables remote, unauthenticated attackers to escalate privileges via crafted requests. The vulnerability is network-accessible with no authentication or user interaction required, and SSVC scoring confirms it is automatable, lowering the bar for mass exploitation. No public exploit or CISA KEV listing has been identified at time of analysis, but the unauthenticated attack surface and automatable classification make this a meaningful exposure for any internet-facing VIOM deployment.

Technical ContextAI

InfoScale VIOM (Operations Manager) is a web-based management interface for Veritas InfoScale storage and cluster environments. CWE-89 (SQL Injection) identifies the root cause as insufficient sanitization of user-supplied input before it is incorporated into SQL queries executed by the application backend. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerable endpoint is reachable over the network without credentials, consistent with a web application input handling flaw. The CPE data provided ('n/a:n/a') is uninformative and cannot be used to enumerate affected instances via NVD CPE search; affected version scope is derived exclusively from the CVE description ('before v9.1.3') and the vendor security bulletin referenced. The ENISA EUVD tracks this as EUVD-2026-31129.

RemediationAI

Upgrade Veritas InfoScale VIOM to version 9.1.3 or later, which is the fix boundary stated in the CVE description. The vendor security bulletin at https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080 should be consulted for official upgrade procedures and confirmation of the patched release version. An additional Veritas support document is available at https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640. If immediate patching is not feasible, restrict network access to the VIOM web interface using firewall rules or network segmentation so that only authorized management hosts can reach it - this directly addresses the AV:N attack vector and reduces automatable exploitation risk, though it does not fix the underlying SQL injection flaw. Web application firewall (WAF) rules targeting SQL injection patterns on VIOM endpoints may provide partial mitigation but should not be relied on as a primary control given that bypass techniques are well-documented.

Share

EUVD-2026-31129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy