Description
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

ResourceSpace 8.6 includes an unauthenticated SQL injection flaw in the watched_searches.php endpoint. By sending a crafted GET request that supplies malicious SQL in the ref parameter, an attacker can execute arbitrary database statements. The consequence is a breach of confidentiality, allowing extraction of usernames, passwords, and other sensitive data directly from the database. This issue maps to the common weakness enumeration for SQL injection (CWE-89).

Affected Systems

Montala’s ResourceSpace version 8.6, the edition listed in the vendor’s CNAs, is affected. Users running this exact version are vulnerable; no other versions are identified in the provided data.

Risk and Exploitability

The CVSS score of 8.8 underscores a high severity, and the EPSS score of less than 1% indicates that exploit attempts are expected to be rare. The vulnerability is not yet catalogued by CISA’s KEV list. The attack can be launched simply by hacking a web request to the watched_searches.php endpoint without needing any prior authentication, making exploitation straightforward but still highly impactful. There is no mention of additional prerequisites or required software weaknesses beyond this single endpoint.

Generated by OpenCVE AI on April 14, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ResourceSpace to a version that contains the fix for this vulnerability.
  • If an immediate upgrade is not possible, block or restrict access to watched_searches.php so that only authenticated users can reach it.
  • Deploy web application firewall or input validation rules to reject malicious ref parameter payloads.
  • Monitor web logs for unusual GET requests to watched_searches.php and investigate anomalous activity.

Generated by OpenCVE AI on April 14, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:montala:resourcespace:*:*:*:*:*:*:*:*

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials.
Title ResourceSpace 8.6 SQL Injection via watched_searches.php
First Time appeared Montala
Montala resourcespace
Weaknesses CWE-89
CPEs cpe:2.3:a:montala:resourcespace:8.6:*:*:*:*:*:*:*
Vendors & Products Montala
Montala resourcespace
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Montala Resourcespace
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:49:15.342Z

Reserved: 2026-04-05T12:59:40.774Z

Link: CVE-2019-25662

cve-icon Vulnrichment

Updated: 2026-04-06T18:49:06.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:43.223

Modified: 2026-04-14T16:16:55.097

Link: CVE-2019-25662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses