Home

Description

An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.

PUBLISHED Reserved 2025-04-15 | Published 2025-07-25 | Updated 2025-11-19 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

11.32.0 (semver)
affected

11.36.0 (semver)
affected

11.38.0 (semver)
affected

References

documentation.commvault.com/...yadvisories/CV_2025_04_2.html vendor-advisory patch

www.vulncheck.com/...mvault-commserve-web-server-unauth-sqli third-party-advisory

cve.org (CVE-2025-34136)

nvd.nist.gov (CVE-2025-34136)

Download JSON