Description
SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint.
Published: 2026-03-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data exposure and manipulation through unauthorized database access
Action: Immediate Patch
AI Analysis

Impact

A classic SQL injection flaw exists in the Sinturno application, specifically on the '/_adm/scripts/modalReport_data.php' endpoint. The vulnerability is triggered by the 'client' parameter and allows an attacker to read, create, modify, or delete database records. The flaw falls under CWE‑89, indicating unchecked user input is directly incorporated into SQL statements, compounding risk to confidentiality and integrity. If exploited, an attacker could exfiltrate sensitive data or corrupt database contents, undermining system reliability and trust.

Affected Systems

The affected product is Sinturno by Sinturno, with all listed versions considered vulnerable. The CPE entry indicates that no specific version boundary protects against the issue, placing every deployed instance at risk until remediation is undertaken.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity, and although EPSS data is unavailable, the lack of listing in the CISA KEV catalog suggests no active exploitation is publicly documented. Nevertheless, the attack vector is likely via exposed web traffic: any user able to reach the vulnerable endpoint can supply malicious input in the 'client' parameter. Successful exploitation requires no special credentials per the description, meaning authentication is either unnecessary or limited to existing UI access privileges. The vulnerability therefore poses a significant threat if left unpatched, with the potential for full database compromise.

Generated by OpenCVE AI on March 23, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Sinturno support to obtain a patch or identify a fixed release
  • If no patch exists, block external access to the '/_adm/scripts/modalReport_data.php' endpoint using firewall or web server rules
  • Verify that the application implements input validation and parameterized queries for the 'client' parameter (if code changes are possible)
  • Continuously monitor and scan web applications for SQL injection vulnerabilities

Generated by OpenCVE AI on March 23, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint.
Title SQL Injection in Sinturno
First Time appeared Sinturno
Sinturno sinturno
Weaknesses CWE-89
CPEs cpe:2.3:a:sinturno:sinturno:all_versions:*:*:*:*:*:*:*
Vendors & Products Sinturno
Sinturno sinturno
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sinturno Sinturno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-23T13:46:46.627Z

Reserved: 2025-04-16T09:08:43.217Z

Link: CVE-2025-41008

cve-icon Vulnrichment

Updated: 2026-03-23T13:46:40.136Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T14:16:29.513

Modified: 2026-03-23T14:31:37.267

Link: CVE-2025-41008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:07Z

Weaknesses