Description
A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Affected Grit42 Grit includes a flaw in the Grit::Assays::DataTableEntity function within data_table_entity.rb that permits the crafting of request parameters to inject arbitrary SQL. The injection could lead to unauthorized data exposure, manipulation, or deletion. This vulnerability is classified as a classic SQL Injection and is considered a moderate threat.

Affected Systems

The issue applies to Grit42 Grit versions up to 0.11.0. Any deployment of these versions that exposes the DataTableEntity endpoint to external input is potentially vulnerable. The problem originates from the backend app models handling assay data, specifically the data_table_entity module.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, and the public availability of exploit code suggests that a motivated attacker could exploit it without special local access. The risk is confined to systems that expose the vulnerable endpoint and accept untrusted input.

Generated by OpenCVE AI on June 15, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grit42 Grit to a version newer than 0.11.0 once the vendor releases a fix
  • Review and refactor the DataTableEntity implementation to use parameterized queries or an ORM abstraction that escapes user input
  • If an immediate patch is unavailable, restrict external access to the DataTableEntity endpoint via firewall rules or network segmentation

Generated by OpenCVE AI on June 15, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Grit42 Grit data_table_entity.rb DataTableEntity sql injection
First Time appeared Grit42
Grit42 grit
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:grit42:grit:*:*:*:*:*:*:*:*
Vendors & Products Grit42
Grit42 grit
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Grit42 Grit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T01:30:08.215Z

Reserved: 2026-06-14T12:19:34.007Z

Link: CVE-2026-12206

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T02:16:12.477

Modified: 2026-06-15T02:16:12.477

Link: CVE-2026-12206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T04:00:08Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')