Description
A vulnerability was detected in Grit42 Grit up to 0.11.0. Affected by this issue is some unknown functionality of the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the component GritEntityController. Performing a manipulation results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in Grit42’s GritEntityController allows an attacker to inject and execute arbitrary SQL statements by manipulating input sent to the CSV export endpoint. The vulnerability is rooted in unsanitized data handling, corresponding to CWE‑74 and CWE‑89. Successful exploitation would grant the attacker unauthorized access to the underlying database, enabling data exfiltration, tampering, or privilege escalation within the application. The description indicates that the attack can be started remotely, implying that the goal can be achieved over the network without local access.

Affected Systems

Versions of Grit up to and including 0.11.0 are affected. In particular, any installation using the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb in those releases is vulnerable. The vulnerability is specific to the Grit42 product line and does not affect other vendors or components.

Risk and Exploitability

The CVSS score of 5.3 categorizes this flaw as moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation may not yet be occurring. However, because the exploit can be triggered remotely via a public endpoint and the code is publicly disclosed, the risk remains significant. Attackers need only to craft a malicious request against the CSV export functionality; no additional privilege escalation steps are required beyond the application context.

Generated by OpenCVE AI on June 14, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grit to a version newer than 0.11.0 or apply the vendor’s official patch once released.
  • Restrict access to the CSV export endpoint by restricting allowed IP ranges or enforcing strict authentication and role‑based access controls.
  • Deploy a web application firewall or intrusion detection rule that detects and blocks typical SQL injection payloads within incoming requests.

Generated by OpenCVE AI on June 14, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Grit42 Grit up to 0.11.0. Affected by this issue is some unknown functionality of the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the component GritEntityController. Performing a manipulation results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Grit42 Grit GritEntityController grit_entity_controller.rb sql injection
First Time appeared Grit42
Grit42 grit
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:grit42:grit:*:*:*:*:*:*:*:*
Vendors & Products Grit42
Grit42 grit
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Grit42 Grit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-14T22:15:08.298Z

Reserved: 2026-06-14T06:33:25.578Z

Link: CVE-2026-12188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T23:16:35.440

Modified: 2026-06-14T23:16:35.440

Link: CVE-2026-12188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T23:30:06Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')