CVE-2026-2584 | THREATINT

Description

A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L).

PUBLISHED Reserved 2026-02-16 | Published 2026-03-02 | Updated 2026-03-02 | Assigner INCIBE

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

3.0 to 5.1 (fixed)

affected

References

www.incibe.es/...viso/sql-injection-ciser-system-sl-firmware

cve.org (CVE-2026-2584)

nvd.nist.gov (CVE-2026-2584)

Download JSON