Description
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and extract sensitive database information.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and extract sensitive database information. The weakness is identified as CWE‑89. The CVSS score of 8.8 reflects a high severity risk to confidentiality and integrity of the database contents.

Affected Systems

The affected product is Varient:Varient SQL Inj. Version 1.6.1 is listed in the vendor information. No additional affected versions are provided in the input, so the scope is limited to this release.

Risk and Exploitability

The low EPSS score (<1%) indicates that the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the high CVSS score demonstrates that if exploited, the impact would be significant. Attackers can exploit this flaw by sending crafted POST requests to the vulnerable endpoint without any authentication, making it easily reachable by unauthenticated users.

Generated by OpenCVE AI on March 17, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or update for Varient 1.6.1 if one is available.
  • If no patch is available, restrict the database user permissions to limit the potential impact of injected queries.
  • Implement proper input validation and use parameterized queries to prevent this class of SQL injection in the future.
  • Monitor logs for suspicious POST requests with unusual user_id values.

Generated by OpenCVE AI on March 17, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Varient
Varient varient Sql Inj.
Vendors & Products Varient
Varient varient Sql Inj.

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and extract sensitive database information.
Title Varient 1.6.1 SQL Injection via user_id Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Varient Varient Sql Inj.
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:04:38.349Z

Reserved: 2026-02-23T17:22:01.435Z

Link: CVE-2019-25486

cve-icon Vulnrichment

Updated: 2026-03-11T19:22:30.351Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T19:16:02.947

Modified: 2026-03-12T21:08:22.643

Link: CVE-2019-25486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:37Z

Weaknesses