Description
GestSup versions prior to 3.2.60 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Published: 2026-01-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access and modification
Action: Apply Patch
AI Analysis

Impact

GestSup versions older than 3.2.60 contain multiple SQL injection flaws in the asset list feature. Filter, search, and sort request parameters are directly inserted into SQL statements without adequate sanitization, enabling a logged‑in attacker to craft malicious inputs. By exploiting these flaws the attacker can read sensitive information or alter database records, depending on the privileges granted to the database user.

Affected Systems

The vulnerability affects the GestSup application, specifically all releases before 3.2.60. The exposed functionality is the asset list page, which any authenticated user can access.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the low EPSS value (<1%) suggests that exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread exploit has been reported. Authentication is required, so only users with valid credentials on the system can abuse the injection points. If the application’s database user has read or write privileges, the impact could range from data leakage to full data tampering. The absence of current public exploitation reduces immediate threat, but the high potential damage warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GestSup to version 3.2.60 or later, which replaces vulnerable query construction with parameterized statements.
  • Review all database operations in the application to ensure that user‑supplied values are handled through prepared statements or explicit sanitization.
  • Limit the privileges of the database account used by GestSup to only the necessary operations, preventing unauthorized data modifications even if an injection succeeds.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 14 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. GestSup versions prior to 3.2.60 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 Multiple SQL Injections in Asset List GestSup < 3.2.60 Multiple SQL Injections in Asset List

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Gestsup
Gestsup gestsup
Vendors & Products Gestsup
Gestsup gestsup

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
Title GestSup <= 3.2.56 Multiple SQL Injections in Asset List
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gestsup Gestsup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:15.149Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22197

cve-icon Vulnrichment

Updated: 2026-01-09T17:48:02.889Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T17:15:55.170

Modified: 2026-01-14T19:43:05.013

Link: CVE-2026-22197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses