Description
SQL Injection in Cuantis. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'search' parameter in the '/search.php' endpoint.
Published: 2026-03-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL injection leading to full database compromise
Action: Apply Mitigation
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw that allows an attacker to execute arbitrary SQL statements through the 'search' parameter in the '/search.php' endpoint. Because the input is not sanitized, an attacker can read, create, update, or delete database records, thereby compromising the confidentiality, integrity, and availability of the application’s data.

Affected Systems

This flaw affects the Cuantis application across all versions, as indicated by the product listing. No specific version is exempt, so every deployed instance of Cuantis is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.3 this issue is classified as critical. No EPSS score is available and the vulnerability has not been included in CISA’s KEV catalog, suggesting it may not yet be widely exploited. The attack vector is inferred to be remote through HTTP requests to '/search.php', and an attacker must supply a crafted search string to trigger the injection. Given the high impact and lack of a vendor patch, the risk remains very high until a mitigation is applied.

Generated by OpenCVE AI on March 23, 2026 at 14:51 UTC.

Remediation

Vendor Solution

There is no solution reported at this time.

OpenCVE Recommended Actions

  • No official patch is currently available; contact Cuantis support for guidance
  • Validate and sanitize the 'search' parameter or use parameterized queries to eliminate injection risk
  • Deploy a web application firewall or IDS rule that detects and blocks SQL injection patterns targeting '/search.php'
  • Enable comprehensive logging on the web server and database to identify anomalous queries and investigate potential breaches
  • Restrict or disable the '/search.php' endpoint for unauthenticated users until a fix is available

Generated by OpenCVE AI on March 23, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description SQL Injection in Cuantis. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'search' parameter in the '/search.php' endpoint.
Title SQL Injection in Cuantis
First Time appeared Cuantis
Cuantis cuantis
Weaknesses CWE-89
CPEs cpe:2.3:a:cuantis:cuantis:all_versions:*:*:*:*:*:*:*
Vendors & Products Cuantis
Cuantis cuantis
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cuantis Cuantis
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-23T15:52:09.342Z

Reserved: 2025-04-16T09:08:43.217Z

Link: CVE-2025-41007

cve-icon Vulnrichment

Updated: 2026-03-23T15:19:11.311Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T13:16:29.913

Modified: 2026-03-23T14:31:37.267

Link: CVE-2025-41007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:15Z

Weaknesses