Description
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.
Published: 2026-01-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL execution leading to data compromise
Action: Patch
AI Analysis

Impact

The vulnerability arises from unsanitized input in the webhook edit and scanner API endpoints of Tarkov Data Manager. An attacker who has acquired valid user credentials can inject SQL statements, enabling the execution of arbitrary queries against the MySQL database. This can result in unauthorized read, modification, or deletion of any database content, compromising confidentiality, integrity, and possibly availability.

Affected Systems

All instances of Tarkov Data Manager running versions before commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 are affected. The patch included in that commit resolves the flaw.

Risk and Exploitability

The CVSS base score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation has not been observed frequently in the wild. The flaw is authenticated, so an attacker requires legitimate credentials or a compromised account to exploit it. Once authenticated, the attacker can execute arbitrary SQL, posing a serious risk to data integrity and confidentiality. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploitation at this time.

Generated by OpenCVE AI on April 18, 2026 at 07:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tarkov Data Manager to the patched commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 and deploy the new release.
  • Restrict permissions on the webhook and scanner API endpoints by applying least‑privilege roles to reduce the impact if an attacker gains credential access.
  • Run automated penetration tests or vulnerability scans against the modified endpoints to confirm that SQL injection is no longer possible before re‑enabling them for production traffic.

Generated by OpenCVE AI on April 18, 2026 at 07:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tarkov
Tarkov tarkov Data Manager
CPEs cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*
Vendors & Products Tarkov
Tarkov tarkov Data Manager

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.
Title Tarkov Data Manager has Authenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tarkov Tarkov Data Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:34:40.382Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21856

cve-icon Vulnrichment

Updated: 2026-01-07T18:34:14.778Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T19:15:58.147

Modified: 2026-02-03T16:19:36.620

Link: CVE-2026-21856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses