Description
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu_lev1 parameter to extract sensitive database information or modify database contents.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL injection enabling data exposure or modification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the menu_lev1 parameter of Kados GreenBee R10, where an attacker can inject arbitrary SQL code without authentication. This permits extraction of confidential database content or alteration of records, compromising both confidentiality and integrity of the system.

Affected Systems

Kados Inc. products, specifically Kados GreenBee R10. The affected version is identified by the CPE as r10_greenbee, indicating all releases within the R10 family.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is classified as high severity. The EPSS score of less than 1% suggests a low likelihood of exploit in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through simple HTTP requests to the web application, and any user can trigger it because no authentication is required.

Generated by OpenCVE AI on April 7, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kados GreenBee patch that addresses the menu_lev1 SQL injection flaw.
  • If a patch is not yet available, deploy a Web Application Firewall rule to block or sanitize SQL syntax in the menu_lev1 parameter.
  • Restrict HTTP access to the affected endpoint or enforce request validation so that only allowed input is accepted.
  • Monitor application logs for anomalous queries or repeated attempts to manipulate the menu_lev1 parameter.

Generated by OpenCVE AI on April 7, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Marmotech
Marmotech kados
CPEs cpe:2.3:a:marmotech:kados:r10_greenbee:*:*:*:*:*:*:*
Vendors & Products Marmotech
Marmotech kados

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kados
Kados kados Greenbee
Vendors & Products Kados
Kados kados Greenbee

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu_lev1 parameter to extract sensitive database information or modify database contents.
Title Kados R10 GreenBee SQL Injection via menu_lev1 Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kados Kados Greenbee
Marmotech Kados
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:26:57.981Z

Reserved: 2026-04-05T15:30:51.680Z

Link: CVE-2019-25688

cve-icon Vulnrichment

Updated: 2026-04-06T15:22:47.065Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:47.650

Modified: 2026-04-07T19:36:49.030

Link: CVE-2019-25688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:19Z

Weaknesses