Skip to main content

Yandex Database

1 CVEs product

Monthly

CVE-2026-10549 MEDIUM PATCH This Month

LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.

Authentication Bypass Yandex Database
NVD
CVSS 4.0
5.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.

Authentication Bypass Yandex Database
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy