Skip to main content

MobilMen 20T EUVDEUVD-2026-42965

| CVE-2026-2397 CRITICAL
SQL Injection (CWE-89)
2026-07-10 TR-CERT GHSA-r958-fxrc-p879
9.8
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated SQL injection over the network (AV:N/AC:L/PR:N/UI:N) grants full database read/write, so C:H/I:H/A:H; scope unchanged as impact stays within the database system.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 18:25 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows SQL Injection.

This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach MobilMen 20T endpoint over network
Delivery
Submit crafted input to vulnerable parameter
Exploit
Break out of SQL query context
Execution
Execute injected SQL on database
Impact
Dump or modify pricing/transaction/customer data

Vulnerability AssessmentAI

Exploitation The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no special conditions - remote unauthenticated exploitation over the network against MobilMen 20T versions v3 through 10072026, requiring no authentication and no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals partly align and partly conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the MobilMen 20T application over the network submits a crafted value into a vulnerable parameter (e.g., a login, search, or product-lookup field), breaking out of the intended SQL query to dump the entire database - pricing, transaction and customer data - or to modify records. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, no authentication or user interaction is required and the attack is easily scripted; no public proof-of-concept has been identified, so exploitation would require an attacker to develop the injection independently.
Remediation No vendor-released patch identified at time of analysis - the vendor was contacted early but did not respond, so no fixed version number exists to cite. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Restrict all MobilMen 20T instances to private network access only; disable internet-facing exposure; enable database connection logging and configure alerts for unusual queries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy