Description
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter. Attackers can submit malicious SQL statements in the sort_direction parameter to extract sensitive database information or modify data.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data disclosure and modification via SQL injection
Action: Patch
AI Analysis

Impact

Kados R10 GreenBee is vulnerable to a classic SQL injection that can be triggered by sending crafted input in the sort_direction parameter of the web interface. An attacker who successfully injects malicious SQL can retrieve sensitive database contents or alter data, potentially compromising confidentiality, integrity, and the reliability of the application.

Affected Systems

The vulnerability affects the Kados R10 GreenBee product from the Kados vendor. No specific version information is provided in the CVE data; any installation of the product is presumed to be affected until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 highlights a high severity level, while the EPSS score of less than 1% indicates a low likelihood that this vulnerability is actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves accessing the web application and sending an HTTP request that includes a malicious payload in the sort_direction parameter. It is inferred that the exploit could be performed without special privileges, making it potentially reachable to unauthenticated users who can reach the affected endpoint.

Generated by OpenCVE AI on April 7, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or update for Kados R10 GreenBee as issued by the vendor.
  • If a patch is unavailable, restrict the sort_direction parameter to a strict whitelist of acceptable values (e.g., "ASC" and "DESC") and validate input on the server side.
  • Consider temporarily disabling the feature that accepts sort_direction if the functionality is unnecessary for your environment.
  • Monitor web server logs for unusual request patterns that may indicate attempted SQL injection.

Generated by OpenCVE AI on April 7, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Marmotech
Marmotech kados
CPEs cpe:2.3:a:marmotech:kados:r10_greenbee:*:*:*:*:*:*:*
Vendors & Products Marmotech
Marmotech kados

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kados
Kados kados R10 Greenbee
Vendors & Products Kados
Kados kados R10 Greenbee

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter. Attackers can submit malicious SQL statements in the sort_direction parameter to extract sensitive database information or modify data.
Title Kados R10 GreenBee SQL Injection via sort_direction Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kados Kados R10 Greenbee
Marmotech Kados
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:15:12.213Z

Reserved: 2026-04-05T15:36:56.021Z

Link: CVE-2019-25700

cve-icon Vulnrichment

Updated: 2026-04-06T18:15:07.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:48.643

Modified: 2026-04-07T19:37:08.427

Link: CVE-2019-25700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:11Z

Weaknesses