Description
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
Published: 2026-03-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

Non‑relational SQL injection, also referred to as NoSQLi, is found in the Wakyma web application at the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. The flaw allows an authenticated user to modify a POST request and inject NoSQL commands. Consequently, the attacker can retrieve sensitive customer reports, compromising the confidentiality of the data. The weakness is classified under CWE‑89 (SQL Injection) and CWE‑943 (Exploitation of NoSQL Injection).

Affected Systems

The affected product is the Wakyma application web, as identified by the CNA. While no explicit version numbers are provided in the CNA data, the vendor notes that the vulnerability was fixed in the continuous integration deployed in production on February 19, 2026, implying that all earlier releases of this application are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score of less than 1 % suggests that exploitation is currently considered unlikely. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access, most likely through the application’s normal network interface. The impact involves unauthorized disclosure of customer reports, affecting confidentiality for any users with access to the application.

Generated by OpenCVE AI on March 19, 2026 at 21:52 UTC.

Remediation

Vendor Solution

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

OpenCVE Recommended Actions

  • Apply the vendor’s patch update that was deployed in production on February 19 2026.

Generated by OpenCVE AI on March 19, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wakyma wakyma
Weaknesses CWE-89
CPEs cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:*
Vendors & Products Wakyma wakyma
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
Title Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
First Time appeared Wakyma
Wakyma wakyma Application Web
Weaknesses CWE-943
CPEs cpe:2.3:a:wakyma:wakyma_application_web:all_versions:*:*:*:*:*:*:*
Vendors & Products Wakyma
Wakyma wakyma Application Web
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wakyma Wakyma Wakyma Application Web
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-16T15:26:40.413Z

Reserved: 2026-02-23T13:43:55.333Z

Link: CVE-2026-3022

cve-icon Vulnrichment

Updated: 2026-03-16T15:26:36.730Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:45.493

Modified: 2026-03-19T20:05:34.473

Link: CVE-2026-3022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:29Z

Weaknesses