Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.

This issue affects windesk.Fm: before v2.3.4. 
NOTE: 
The vendor patched the vulnerability after the CVE was published.
Published: 2026-02-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE details a SQL injection flaw caused by improper neutralization of special elements in user-supplied input within SQL commands in Signum Technology Promotion and Training Inc.'s Windesk.Fm. The vulnerability permits attackers to inject and execute arbitrary SQL statements, potentially exposing or altering database contents. It exists in all releases before v2.3.4, but Signum has issued a patch after the CVE was publicized.

Affected Systems

Windesk.Fm versions prior to 2.3.4 are affected. The product is supplied by Signum Technology Promotion and Training Inc.

Risk and Exploitability

The CVSS score of 9.8 highlights a critical risk, while the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the web interface where user-supplied input is incorporated into SQL queries without proper sanitization. An attacker could abuse this to read, modify, or delete data in the underlying database if the database user has sufficient privileges.

Generated by OpenCVE AI on June 4, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Windesk.Fm to version 2.3.4 or later.
  • Ensure all user-supplied input is sanitized and use parameterized queries to prevent SQL injection.
  • Monitor database logs for suspicious activity and, if necessary, restrict database privileges or isolate the database from the web-facing application.

Generated by OpenCVE AI on June 4, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability after the CVE was published. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection. This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability after the CVE was published.
References

Thu, 16 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability after the CVE was published.

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Signum Technology Promotion And Training
Signum Technology Promotion And Training windesk.fm
Vendors & Products Signum Technology Promotion And Training
Signum Technology Promotion And Training windesk.fm

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Signumtte
Signumtte windesk.fm
CPEs cpe:2.3:a:signumtte:windesk.fm:*:*:*:*:*:*:*:*
Vendors & Products Signumtte
Signumtte windesk.fm

Fri, 27 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Title SQLi in Signum Technologies' windesk.fm
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Signum Technology Promotion And Training Windesk.fm
Signumtte Windesk.fm
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-04T19:34:34.495Z

Reserved: 2025-10-03T11:31:07.895Z

Link: CVE-2025-11252

cve-icon Vulnrichment

Updated: 2026-03-06T15:33:41.643Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T13:16:01.343

Modified: 2026-06-04T20:16:55.780

Link: CVE-2025-11252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T21:30:23Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')