Description
iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Attackers can send POST requests to the search endpoint with crafted SQL payloads to extract sensitive database information.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Patch
AI Analysis

Impact

iScripts ReserveLogic includes an SQL injection vulnerability (CWE-89) that allows unauthenticated attackers to manipulate database queries through the jqSearchDestination parameter on the search endpoint. Attackers can send crafted POST requests containing SQL payloads, resulting in extraction of sensitive database information. Based on the description, it is inferred that this could lead to exposure of confidential data.

Affected Systems

The affected vendor is iScripts with product ReserveLogic. No specific version information is disclosed in the CVE data, so all installations of this product may be vulnerable until further details are released.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity impact, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated POST request to the search endpoint, which is explicitly stated in the CVE description. Based on the description, it is inferred that any user with network access to the application could potentially exploit this flaw. The high score combined with the low EPSS indicates a high priority for remediation, though the low exploitation probability may allow a short window if a patch is promptly applied.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify installation of iScripts ReserveLogic and identify the version.
  • Apply an official vendor patch or update if available.
  • If no patch exists, restrict access to the search endpoint or enforce authentication for that endpoint.
  • Implement input validation or sanitization on the jqSearchDestination parameter to prevent arbitrary SQL execution.
  • Monitor application logs for suspicious POST requests to the search endpoint.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Iscripts
Iscripts reservelogic
Vendors & Products Iscripts
Iscripts reservelogic

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Attackers can send POST requests to the search endpoint with crafted SQL payloads to extract sensitive database information.
Title iScripts ReserveLogic Lastest SQL Injection via search endpoint
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Iscripts Reservelogic
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-14T03:40:20.995Z

Reserved: 2026-02-23T12:15:05.149Z

Link: CVE-2019-25481

cve-icon Vulnrichment

Updated: 2026-03-14T03:40:17.034Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T16:16:02.240

Modified: 2026-03-12T21:07:53.427

Link: CVE-2019-25481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:35Z

Weaknesses