Home

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-10 | Updated 2026-03-10 | Assigner TuranSec




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

2.9.1 (semver) before 2.10.2
affected

2.10.2 (semver)
unaffected

Credits

Yergashvoyev Jamshed (CVE GUY) finder

References

bukts.ru/repo-bukts-current

bdu.fstec.ru/vul/2025-13914

cve.org (CVE-2026-3843)

nvd.nist.gov (CVE-2026-3843)

Download JSON