Description
A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue.
Published: 2026-02-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database manipulation via SQL injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in an undocumented function of iomad’s Company Admin Block. Malicious input that is not properly sanitized can be used to inject arbitrary SQL statements, allowing an attacker to read, modify or delete data from the database. The flaw is a classic example of an Insecure Direct Object Reference problem (CWE‑74) compounded by a traditional SQL injection (CWE‑89), which can compromise the confidentiality and integrity of the application data.

Affected Systems

The flaw is present in iomad releases up to and including version 5.0. All customers using these versions, regardless of their deployment size or operating system, are potentially exposed when the affected component is reachable from the network. No specific operating system or platform information is supplied, so the risk applies to any environment running a vulnerable instance of iomad.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote; an attacker must connect to the system over the network to submit the malicious input. Because no authentication or privilege requirements are explicitly stated in the CVE data, the exploit is assumed to be possible against any user who can access the vulnerable functionality.

Generated by OpenCVE AI on April 18, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest iomad update that fixes the Company Admin Block injection issue, ensuring the software version exceeds 5.0.
  • Restrict external network access to the iomad instance by placing it behind a firewall and limiting connections to trusted administrative networks only.
  • Implement proper input validation and use parameterized queries for any database interactions in the Company Admin Block, following secure coding practices to prevent injection.

Generated by OpenCVE AI on April 18, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Iomad
Iomad company Admin Block
Vendors & Products Iomad
Iomad company Admin Block

Thu, 05 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. Upgrading to version 4.5 LTS and 5.0 is able to address this issue. You should upgrade the affected component. A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue.

Thu, 05 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. Upgrading to version 4.5 LTS and 5.0 is able to address this issue. You should upgrade the affected component.
Title iomad Company Admin Block sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Iomad Company Admin Block
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:18:49.693Z

Reserved: 2026-01-28T06:31:08.514Z

Link: CVE-2026-1517

cve-icon Vulnrichment

Updated: 2026-02-05T14:08:47.965Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T12:15:59.930

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses