Description
WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL injection allowing unauthenticated attackers to manipulate database queries
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can inject arbitrary SQL through the web application’s ‘urun’ GET parameter. The flaw supports boolean‑based blind, error‑based, time‑based blind, and stacked query attacks, potentially enabling the attacker to read, modify, or delete sensitive data stored in the backend database. Based on the description, it is inferred that these actions could expose customer information, disrupt transactions, and undermine business operations.

Affected Systems

The vulnerability applies to Web‑Ofisi Ticaret V4, specifically the E‑Ticaret 4.0 web application. No specific version information is disclosed in the data.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, classifying it as high severity. Its EPSS score is below 1 %, indicating a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack vector is remote, as the attack can be performed by sending an unauthenticated HTTP GET request to the vulnerable endpoint. The vulnerability can be exploited without requiring additional privileges or user interaction, making it relatively easy for attackers skilled in SQL injection.

Generated by OpenCVE AI on March 27, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or update that addresses the SQL injection flaw on Web‑Ofisi E‑Ticaret 4.0.
  • If a patch is not yet available, restrict unauthenticated access to the endpoint that accepts the ‘urun’ parameter, for example by implementing network or application firewall rules.
  • Deploy a web application firewall configured to detect and block suspicious SQL injection patterns on the vulnerable endpoint.
  • Review the application code to replace the vulnerable query construction with parameterized queries or prepared statements, thereby eliminating the injection surface.

Generated by OpenCVE AI on March 27, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Web-ofisi e-ticaret
CPEs cpe:2.3:a:web-ofisi:e-ticaret:*:*:*:*:*:*:*:*
Vendors & Products Web-ofisi e-ticaret

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Web-ofisi
Web-ofisi ticaret
Vendors & Products Web-ofisi
Web-ofisi ticaret

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.
Title WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Web-ofisi E-ticaret Ticaret
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-28T02:16:15.915Z

Reserved: 2026-03-26T11:34:53.935Z

Link: CVE-2018-25210

cve-icon Vulnrichment

Updated: 2026-03-28T02:16:12.184Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:06.460

Modified: 2026-03-27T18:29:35.243

Link: CVE-2018-25210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:55Z

Weaknesses