Description
A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.
Published: 2026-04-21
Score: n/a
EPSS: n/a
KEV: No
Impact: SQL Injection enabling unauthorized database access and potential data modification
Action: Patch Immediately
AI Analysis

Impact

A SQL injection flaw exists in Genesys Latitude version 25.1.0.420 where unsanitized user‑supplied input is concatenated directly into SQL statements. An attacker who can authenticate to the application can craft input that is executed by the backend database, allowing the execution of arbitrary SQL queries. This can lead to unauthorized data exfiltration, tampering, or deletion, compromising both confidentiality and integrity of the stored information.

Affected Systems

The vulnerability affects the Genesys Latitude product, specifically released as version 25.1.0.420. No other vendors or product variants are identified in the current data set.

Risk and Exploitability

No public CVSS score is provided, and EPSS information is unavailable, but the vulnerability is known to be exploitable by authenticated users. Because the flaw allows arbitrary SQL execution, the potential impact is significant. The attack is likely carried out through the application's authenticated interface, and it requires the attacker to have valid credentials with sufficient privilege to submit queries to the database. The absence of a KEV listing suggests that widespread exploitation has not yet been observed, yet the high severity inherent to SQL injection warrants immediate attention.

Generated by OpenCVE AI on April 22, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Genesys Latitude to a patched version that removes the vulnerable code path
  • Apply input validation and use parameterized queries to eliminate unsanitized string concatenation
  • Limit the database credentials used by Genesys to only the permissions required for its normal operation
  • Ensure network segmentation keeps the database isolated from unauthorized network zones

Generated by OpenCVE AI on April 22, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Genesys Latitude Enabling Arbitrary Database Access
Weaknesses CWE-89

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T20:48:54.120Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:22.900

Modified: 2026-04-21T21:16:22.900

Link: CVE-2025-70420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:00:09Z

Weaknesses