Description
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
Published: 2026-02-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Data Compromise via Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from unsanitized array keys used when deleting service dependencies in the Centreon Web on the Central Server. This flaw allows a blind SQL injection that can be triggered when processing deletion requests. Based on the description, it is inferred that an attacker could manipulate the underlying database queries, potentially retrieving or altering data stored in the database.

Affected Systems

Centreon Web on the Central Server, specifically the Service Dependencies module on Linux, is affected. Versions prior to 25.10.8, 24.10.20, and 24.04.24 are listed as vulnerable in the vendor advisory.

Risk and Exploitability

The flaw carries a CVSS score of 8.3, indicating high severity. The EPSS score is reported as less than 1%, suggesting a low probability of active exploitation at the time of assessment, and it is not listed in the CISA KEV catalog. The likely attack path involves interacting with the deletion endpoint exposed in the web interface, which requires the ability to send requests to that endpoint. Based on the description, it is inferred that the attacker could exploit the vulnerability by sending crafted deletion requests that include malicious array keys.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Centreon Web to 25.10.8 or later, 24.10.20 or later, or 24.04.24 or later to apply the vendor fix.
  • If upgrading is not immediately possible, restrict the deletion of service dependencies to users with the highest privilege level and implement server-side validation to ensure array keys are numeric or strictly typed.
  • Configure a web application firewall to block or alert on suspicious SQL payloads targeting the deletion endpoint.
  • Continuously monitor application and database logs for abnormal query patterns that could indicate an attempted injection.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Centreon centreon Web
CPEs cpe:2.3:a:centreon:centreon_web:*:*:*:*:*:*:*:*
Vendors & Products Centreon centreon Web

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Centreon
Centreon centreon Web On Central Server
Vendors & Products Centreon
Centreon centreon Web On Central Server

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Description Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server: all supported version. Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.

Fri, 27 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server: all supported version.
Title Blind SQL Injection
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Centreon Centreon Web Centreon Web On Central Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Centreon

Published:

Updated: 2026-02-27T14:26:21.910Z

Reserved: 2026-02-19T14:25:19.973Z

Link: CVE-2026-2751

cve-icon Vulnrichment

Updated: 2026-02-27T14:26:14.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T14:16:30.780

Modified: 2026-03-09T20:50:29.480

Link: CVE-2026-2751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses