Description
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter. Attackers can send crafted requests with malicious SQL payloads in the mng_profile_id parameter to extract sensitive database information.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Apply Patch
AI Analysis

Impact

Kados R10 GreenBee allows attackers to inject arbitrary SQL through the mng_profile_id parameter. By sending crafted requests that contain malicious SQL code, attackers can manipulate database queries and retrieve sensitive data stored in the system. The compromised information may include confidential business data and user credentials, resulting in a significant breach of confidentiality.

Affected Systems

The vulnerability affects the Kados R10 GreenBee product, released by Marmotech. All installations of the R10 GreenBee edition remain at risk, as specific version ranges are not listed. Organizations using this product should consider every instance potentially vulnerable.

Risk and Exploitability

The vulnerability carries a high severity rating. Current exploitation probability is low, as evidenced by a very small likelihood score, and the flaw is not currently listed in the known exploited vulnerabilities catalog. Exploitation can be performed by sending HTTP requests with malicious payloads to the mng_profile_id endpoint, making the attack vector a standard web application exploitation.

Generated by OpenCVE AI on April 7, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch released by Marmotech for Kados R10 GreenBee immediately.
  • Ensure that the mng_profile_id parameter is properly sanitized or remove it from publicly accessible endpoints.
  • Configure a web application firewall or equivalent controls to block SQL injection attempts on the mng_profile_id access point.

Generated by OpenCVE AI on April 7, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Marmotech
Marmotech kados
CPEs cpe:2.3:a:marmotech:kados:r10_greenbee:*:*:*:*:*:*:*
Vendors & Products Marmotech
Marmotech kados

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kados
Kados kados R10 Greenbee
Vendors & Products Kados
Kados kados R10 Greenbee

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter. Attackers can send crafted requests with malicious SQL payloads in the mng_profile_id parameter to extract sensitive database information.
Title Kados R10 GreenBee SQL Injection via mng_profile_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kados Kados R10 Greenbee
Marmotech Kados
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:26:48.748Z

Reserved: 2026-04-05T15:32:12.280Z

Link: CVE-2019-25690

cve-icon Vulnrichment

Updated: 2026-04-06T15:22:43.778Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:47.820

Modified: 2026-04-07T19:20:42.167

Link: CVE-2019-25690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:18Z

Weaknesses