CVE-2026-10880 | THREATINT

Description

OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-04 | Assigner BLSOPS

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

5.9 (6.6.1) before 6.6.1

affected

References

blog.blacklanternsecurity.com/...26-10880-osnexus-quantastor

cve.org (CVE-2026-10880)

nvd.nist.gov (CVE-2026-10880)

Download JSON