Description
GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Published: 2026-01-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access via SQL injection
Action: Immediate Patch
AI Analysis

Impact

GestSup versions earlier than 3.2.60 allow an authenticated user to inject arbitrary SQL through the search input field. The input is incorporated into database queries without sufficient neutralization, enabling the attacker to access or modify table data depending on the privileges granted to the database account. This flaw falls directly under the SQL Injection weakness (CWE‑89).

Affected Systems

The vulnerability affects all installations of GestSup, product name GestSup, in any environment where the search bar is enabled and the user has authenticated access. Versions older than 3.2.60 are vulnerable; upgrading to 3.2.60 or later disables the flaw.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity for confidentiality, integrity, and availability. The EPSS score of less than 1% suggests the probability of exploitation is low at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated session and access to the web interface; exploitation is straightforward once the conditions are met, allowing an attacker to read or alter database contents.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GestSup to version 3.2.60 or later to remove the vulnerable search functionality.
  • If an immediate upgrade is not possible, disable the search bar feature or enforce strict access controls so that only privileged roles can use it.
  • Modify the application to use parameterized queries or prepared statements for all user input, thereby preventing future injection vulnerabilities.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 14 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 SQL Injection in Search Bar GestSup < 3.2.60 SQL Injection in Search Bar

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Gestsup
Gestsup gestsup
Vendors & Products Gestsup
Gestsup gestsup

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 SQL Injection in Search Bar
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gestsup Gestsup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:13.382Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22195

cve-icon Vulnrichment

Updated: 2026-01-09T17:48:11.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T17:15:54.903

Modified: 2026-01-14T19:37:21.933

Link: CVE-2026-22195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses