Description
GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Published: 2026-01-09
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch Immediately
AI Analysis

Impact

GestSup versions prior to 3.2.60 contain a SQL injection flaw in the ticket creation feature. The flaw allows an attacker who is already authenticated to supply crafted input that is inserted into database queries without proper sanitization. If leveraged, an attacker can read, alter, or delete records in the application database, potentially exposing sensitive information or corrupting business data.

Affected Systems

GestSup's ticket management application, any deployment running a version earlier than 3.2.60.

Risk and Exploitability

The CVSS score of 7.7 indicates a high rating. EPSS suggests a low probability of exploitation in the general population, but the vulnerability can only be exploited with valid user credentials, implying the attack vector is controlled and local to the application. Because the weakness is an unchecked concatenation of user input into SQL statements (CWE‑89), only users with sufficient permissions to create tickets can launch the attack. Even with these conditions, the potential impact on confidentiality, integrity, and availability is significant. The vulnerability is not currently listed in CISA KEV, which means no evidence of known exploitation has been reported, yet the possibility of a targeted exploit remains.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GestSup to version 3.2.60 or later to apply the proper input sanitization fix.
  • Restrict the privileges of the database account used by the application so that it can only perform the necessary operations for ticket management.
  • Implement input validation and convert the ticket creation logic to use parameterized queries to prevent similar injection flaws.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 14 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 SQL Injection in Ticket Creation GestSup < 3.2.60 SQL Injection in Ticket Creation

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Gestsup
Gestsup gestsup
Vendors & Products Gestsup
Gestsup gestsup

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 SQL Injection in Ticket Creation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gestsup Gestsup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:14.265Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22196

cve-icon Vulnrichment

Updated: 2026-01-09T17:47:45.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T17:15:55.037

Modified: 2026-01-14T19:37:37.690

Link: CVE-2026-22196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses