Description
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.
Published: 2026-04-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

ResourceSpace 8.6 contains a flaw that allows an authenticated attacker to inject arbitrary SQL commands through the keywords field in collection_edit.php. By submitting specially crafted POST requests, an attacker can execute any database query, enabling the extraction of sensitive data such as schema names, user credentials, and other confidential information. The description clearly identifies the attack as a traditional SQL injection scenario; the CWE listed is 89, which corresponds to SQL Injection, confirming the nature of the vulnerability.

Affected Systems

The vulnerability is specific to ResourceSpace version 8.6. No other versions are mentioned as affected, and the flaw is confined to the collection_edit.php component of that release.

Risk and Exploitability

The CVSS score of 7.1 classifies this flaw as high severity, reflecting the potential for significant data exposure once authenticated. The EPSS score is 0.00013, indicating exploitation probability below 1%, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation evidence. Because the flaw requires an authenticated session, the risk is bounded to users who have legitimate, though possibly compromised, credentials. Once exploited, confidentiality is breached, and the ability to execute arbitrary queries could also allow data modification, affecting integrity.

Generated by OpenCVE AI on April 18, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your deployment is running ResourceSpace 8.6
  • Apply the latest vendor‑supplied patch or upgrade to a version where the issue is fixed
  • If a patch is not immediately available, restrict access to collection_edit.php to trusted administrators only
  • Ensure the database account used by ResourceSpace has the least privileges necessary to perform required operations

Generated by OpenCVE AI on April 18, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Montala
Montala resourcespace
Weaknesses CWE-89
CPEs cpe:2.3:a:montala:resourcespace:8.6:*:*:*:*:*:*:*
Vendors & Products Montala
Montala resourcespace

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Resourcespace
Resourcespace resourcespace
Vendors & Products Resourcespace
Resourcespace resourcespace

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.
Title ResourceSpace 8.6 SQL Injection via collection_edit.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Montala Resourcespace
Resourcespace Resourcespace
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T15:36:40.688Z

Reserved: 2026-04-05T15:33:50.051Z

Link: CVE-2019-25693

cve-icon Vulnrichment

Updated: 2026-04-13T15:36:16.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:32.270

Modified: 2026-04-17T16:37:04.143

Link: CVE-2019-25693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses