Description
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.
Published: 2026-03-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive employee data disclosure
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a NoSQL injection flaw identified in the Wakyma application web. An authenticated user can manipulate the GET request to the endpoint vets.wakyma.com/centro/equipo/empleado, inserting special NoSQL commands. The flaw allows enumeration of sensitive employee data, leading to a breach of confidentiality. The underlying weakness maps to CWE‑89 (SQL injection) and CWE‑943 (Improper Neutralization of NoSQL Injection).

Affected Systems

Wakyma’s Wakyma application web is affected. All versions running the vulnerable endpoint are at risk until the vendor’s patch was applied. Wakyma stated that the continuous integration deployed in production since February 19 2026 includes the fix. The product does not list individual version numbers, so any deployment before that date remains vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk to confidentiality and integrity. The EPSS score lower than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not yet included in the CISA KEV catalog. Exploitation requires valid authentication and network access to the web endpoint, so an attacker who can gain access to the application’s infrastructure or compromised user credentials could enumerate sensitive records.

Generated by OpenCVE AI on March 20, 2026 at 19:27 UTC.

Remediation

Vendor Solution

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

OpenCVE Recommended Actions

  • Upgrade to the patched release deployed since February 19 2026.
  • Verify that the endpoint no longer accepts injected NoSQL commands.
  • Review access controls and disable or restrict privileged user accounts to limit the impact of any accidental reintroduction of the flaw.

Generated by OpenCVE AI on March 20, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Wakyma wakyma
Weaknesses CWE-89
CPEs cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:*
Vendors & Products Wakyma wakyma
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.
Title Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
First Time appeared Wakyma
Wakyma wakyma Application Web
Weaknesses CWE-943
CPEs cpe:2.3:a:wakyma:wakyma_application_web:all_versions:*:*:*:*:*:*:*
Vendors & Products Wakyma
Wakyma wakyma Application Web
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wakyma Wakyma Wakyma Application Web
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-16T15:27:11.828Z

Reserved: 2026-02-23T13:43:54.643Z

Link: CVE-2026-3021

cve-icon Vulnrichment

Updated: 2026-03-16T15:27:00.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:45.320

Modified: 2026-03-20T18:25:18.947

Link: CVE-2026-3021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:30Z

Weaknesses