Is there a public PoC exploit available for EUVD-2026-36680?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36680. Prioritise patching immediately. EPSS: 0.2%.

Grit42 Grit EUVD-2026-36680

Q: What is the CVSS score of EUVD-2026-36680?

EUVD-2026-36680 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-12206 LOW

SQL Injection (CWE-89)

2026-06-15 VulDB

GHSA-8237-h92m-mj9j

SQLi Grit

2.1

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

2.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

6.3 MEDIUM

Network-accessible SQLi requires authenticated low-privilege access (PR:L); limited declared impact (L/L/L) reflects described scope, though real SQLi often enables higher data access.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 15, 2026 - 02:22 NVD

MEDIUM LOW

CVSS changed

Jun 15, 2026 - 02:22 NVD

5.3 (MEDIUM) 2.1 (LOW)

Analysis Generated

Jun 15, 2026 - 02:12 vuln.today

DescriptionCVE.org

A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Grit42 Grit through version 0.11.0 allows remote low-privileged attackers to manipulate database queries via the DataTableEntity function in the assays module backend. The CVSS 4.0 vector (AV:N/PR:L/E:P) indicates network-exploitable, low-complexity exploitation by authenticated users with a publicly available proof-of-concept. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain any valid Grit user account

Delivery

Send crafted HTTP request to assays DataTableEntity endpoint

Exploit

Inject SQL payload via vulnerable model parameter

Execution

Query backend database using UNION or blind technique

Impact

Exfiltrate assay data or user credentials from database

Access

Obtain any valid Grit user account

Delivery

Send crafted HTTP request to assays DataTableEntity endpoint

Exploit

Inject SQL payload via vulnerable model parameter

Execution

Query backend database using UNION or blind technique

Impact

Exfiltrate assay data or user credentials from database

Vulnerability AssessmentAI

Exploitation	Exploitation requires a valid low-privilege authenticated session on the target Grit instance (consistent with CVSS 4.0 PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 5.3 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L) and a low-privilege requirement (PR:L), constraining exploitation to authenticated users. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated low-privilege user with a valid Grit account sends a crafted HTTP request to the assays DataTableEntity endpoint, injecting SQL payloads into a vulnerable parameter handled by the DataTableEntity model function. Using UNION-based or blind time-based techniques documented in the public POC, the attacker extracts database contents including potentially other users' assay data, credentials, or configuration values. …
Remediation	No vendor-released patch is available at time of analysis; the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12188 LOW Monitor POC

2.1 Jun 14

SQL injection in Grit42 Grit up to version 0.11.0 allows authenticated low-privilege remote attackers to query or manipu

EUVD-2026-36680 vulnerability details – vuln.today

Back