Skip to main content

Mediküm Web EUVDEUVD-2026-42223

| CVE-2026-8307 CRITICAL
SQL Injection (CWE-89)
2026-07-08 TR-CERT GHSA-g684-5gx4-77w9
9.8
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote unauthenticated SQL injection with no user interaction (AV:N/AC:L/PR:N/UI:N); full database read/write gives C:H/I:H/A:H within an unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 13:15 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection.

This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

AnalysisAI

SQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthenticated attackers inject arbitrary SQL commands, yielding full read/write control over the backend database. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction; no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed Mediküm Web instance
Delivery
Submit crafted SQL in input parameter
Exploit
Injection alters backend query
Execution
Extract or modify database records
Impact
Full compromise of application data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Mediküm Web, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to genuinely high real-world exploitability where the product is deployed, but low likelihood of broad mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker discovers an internet-exposed Mediküm Web instance and submits a crafted parameter (e.g., in a login, search, or record-lookup field) containing SQL metacharacters. Because input is not sanitized, the injected clause executes against the application database, letting the attacker dump patient/user records, modify or delete data, or authenticate as an arbitrary user. …
Remediation No vendor-released patch identified at time of analysis, and none is expected - the vendor confirmed to TR-CERT that Mediküm Web is end-of-life and unsupported - so the primary recommendation is to decommission or migrate off the product to a maintained alternative. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployed instances of Mediküm Web application and assess whether production or sensitive systems depend on them. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy