Description
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Published: 2026-02-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw (CWE‑89) that permits unauthenticated remote attackers to supply arbitrary SQL statements. By exploiting this flaw, an attacker can read database contents, effectively exposing sensitive information. The vulnerability resides in the C&Cm@il component of the HGiga package.

Affected Systems

HGiga’s C&Cm@il package, distributed as olln-base, is affected. Any installation using versions older than 7.0‑978 is vulnerable; versions 7.0‑978 or later contain the vendor‑provided fix.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity risk, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is exploitable remotely without authentication, requiring only that an attacker be able to send crafted input to the vulnerable endpoint. Although a successful attack would compromise the confidentiality of database contents, there is no evidence of further consequences such as code execution or privilege escalation in the current description. The vulnerability is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 18, 2026 at 13:06 UTC.

Remediation

Vendor Solution

Update package olln-base to version 7.0-978 or later.

OpenCVE Recommended Actions

  • Upgrade the olln-base package to version 7.0‑978 or later as instructed by the vendor.
  • Deploy a Web Application Firewall or input filtering layer to block malformed SQL payloads until the patch is applied.
  • Implement strict input validation on all user‑controlled data and enforce least‑privilege database access to limit potential damage if injection is still possible.

Generated by OpenCVE AI on April 18, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Hgiga
Hgiga c&cm@il Package Olln-base
Vendors & Products Hgiga
Hgiga c&cm@il Package Olln-base

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Title HGiga|C&Cm@il - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hgiga C&cm@il Package Olln-base
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-02-09T15:42:20.067Z

Reserved: 2026-02-09T06:09:01.299Z

Link: CVE-2026-2236

cve-icon Vulnrichment

Updated: 2026-02-09T15:42:15.248Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T08:16:12.633

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:15:25Z

Weaknesses