Description
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Attackers can submit malicious SQL statements in the language_tag parameter to extract sensitive database information or modify data.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection allowing data exfiltration or modification
Action: Immediate patch
AI Analysis

Impact

A flaw in Kados R10 GreenBee lets attackers insert arbitrary SQL code via the language_tag HTTP parameter. This injection can be used to read confidential database information or alter stored data, compromising both confidentiality and integrity. The vulnerability is a classic example of unchecked input leading to a database query tampering issue marked by CWE-89.

Affected Systems

The weakness appears in the Kados R10 GreenBee application, released by Marmotech. No sub‑version details are provided, so all publicly delivered copies of R10 GreenBee running the affected component are at risk. Administrators should verify that their installed instance is the R10 GreenBee version and check for any available patches or newer releases.

Risk and Exploitability

The score of 8.8 on the CVSS scale indicates high severity, and an EPSS of less than 1% suggests exploitation is presently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely succeed by sending a crafted HTTP request containing malicious SQL to the language_tag field, assuming the web front‑end is exposed. The path is remote and does not require local or privileged access.

Generated by OpenCVE AI on April 7, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade Kados R10 GreenBee to a version that addresses the SQL injection flaw.

Generated by OpenCVE AI on April 7, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Marmotech
Marmotech kados
CPEs cpe:2.3:a:marmotech:kados:r10_greenbee:*:*:*:*:*:*:*
Vendors & Products Marmotech
Marmotech kados

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kados
Kados kados R10 Greenbee
Vendors & Products Kados
Kados kados R10 Greenbee

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Attackers can submit malicious SQL statements in the language_tag parameter to extract sensitive database information or modify data.
Title Kados R10 GreenBee SQL Injection via language_tag Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kados Kados R10 Greenbee
Marmotech Kados
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:41:46.086Z

Reserved: 2026-04-05T15:35:10.792Z

Link: CVE-2019-25696

cve-icon Vulnrichment

Updated: 2026-04-06T15:41:27.653Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:48.317

Modified: 2026-04-07T19:37:26.027

Link: CVE-2019-25696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:14Z

Weaknesses