Description
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.
Published: 2026-03-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

This vulnerability is a non‑relational SQL injection (NoSQLi) in the Wakyma web application, targeting the endpoint 'vets.wakyma.com/pets/print-tags'. An attacker who is authenticated can modify a POST request to inject NoSQL commands, resulting in the ability to list pets and owner names. The core weakness is reflected in CWE-89 and CWE-943, indicating improper handling of user input within NoSQL queries, which leads directly to unauthorized data disclosure.

Affected Systems

Affected system: Wakyma application web. No specific revision or version information is supplied; all deployed instances of the application web are potentially vulnerable. The entry references several CPE strings that match the Wakyma product line, but no granularity is provided.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1%, showing a low probability of exploitation in the current field. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user, after which they can perform a crafted POST request to the vulnerable endpoint. Attackers would need valid session credentials and access to the web interface; no remote unauthenticated vector is described.

Generated by OpenCVE AI on March 19, 2026 at 21:25 UTC.

Remediation

Vendor Solution

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

OpenCVE Recommended Actions

  • Apply the updated application from the continuous integration that was deployed to production on February 19, 2026, which contains the fix for the NoSQL injection in the pets/print-tags endpoint.

Generated by OpenCVE AI on March 19, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wakyma wakyma
Weaknesses CWE-89
CPEs cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:*
Vendors & Products Wakyma wakyma
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.
Title Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
First Time appeared Wakyma
Wakyma wakyma Application Web
Weaknesses CWE-943
CPEs cpe:2.3:a:wakyma:wakyma_application_web:all_versions:*:*:*:*:*:*:*
Vendors & Products Wakyma
Wakyma wakyma Application Web
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wakyma Wakyma Wakyma Application Web
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-16T13:25:33.440Z

Reserved: 2026-02-23T13:43:56.162Z

Link: CVE-2026-3023

cve-icon Vulnrichment

Updated: 2026-03-16T13:25:28.963Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:45.663

Modified: 2026-03-19T20:04:19.553

Link: CVE-2026-3023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:29Z

Weaknesses