Description
qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration via SQL Injection
Action: Patch Immediately
AI Analysis

Impact

qdPM 9.1, a project management solution, contains a critical SQL injection flaw in its timeReport endpoint. By submitting specially crafted POST requests with malicious input in the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters, an attacker can inject arbitrary SQL code. This flaw allows unauthenticated users to read sensitive database records, potentially exposing confidential information. The weakness is a classic SQL injection (CWE-89).

Affected Systems

Qdpm product, specifically versions 8.3, 9.0, 9.1, and 9.2. The product is commonly deployed by organizations relying on qdPM for project management tasks; any installation using these versions is potentially exposed if the timeReport endpoint is reachable from untrusted networks.

Risk and Exploitability

The CVSS base score is 8.8, indicating a high severity risk. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by sending POST requests to the timeReport URL from any external origin. Given the lack of authentication checks and the direct influence over SQL query formation, exploitation is straightforward for an adversary with network access to the application.

Generated by OpenCVE AI on March 26, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade qdPM to the latest release that mitigates the timeReport injection flaw.
  • If upgrade is not immediately possible, restrict external access to the timeReport endpoint or the rest of the application using firewall rules or network segmentation.
  • Deploy a web application firewall or configure request filtering to block suspicious SQL payloads targeting the filter_by parameters.
  • Review application logs for signs of injected queries and investigate any anomalies.
  • Confirm that the vendor has released an update, and apply the official security release as soon as it becomes available.

Generated by OpenCVE AI on March 26, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters to execute arbitrary SQL queries and retrieve sensitive data.
Title qdPM 9.1 SQL Injection via filter_by Parameters
First Time appeared Qdpm
Qdpm qdpm
Weaknesses CWE-89
CPEs cpe:2.3:a:qdpm:qdpm:8.3:*:*:*:*:*:*:*
cpe:2.3:a:qdpm:qdpm:9.0:*:*:*:*:*:*:*
cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*
cpe:2.3:a:qdpm:qdpm:9.2:*:*:*:*:*:*:*
Vendors & Products Qdpm
Qdpm qdpm
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qdpm Qdpm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T18:35:47.179Z

Reserved: 2026-03-26T11:34:36.724Z

Link: CVE-2018-25208

cve-icon Vulnrichment

Updated: 2026-03-26T18:35:42.690Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T12:16:06.047

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:02Z

Weaknesses