CVE-2026-31069 - Vulnerability Details

Description

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.

Published: 2026-05-19

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An SQL Injection flaw resides in the EventRepository of BillaBear. User‑controlled metric filter names and aggregation property identifiers are embedded directly into SQL queries via sprintf without proper sanitization or identifier quoting. Although filter values are parameterized, the filter keys are not, allowing an attacker to inject arbitrary SQL statements. The vulnerability is exploitable by any authenticated user holding the ROLE_ACCOUNT_MANAGER permission, which can lead to unauthorized data retrieval, modification, or deletion within the database.

Affected Systems

The issue affects all BillaBear deployments using versions released before January 2026. No other vendor or product versions are listed as impacted.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is <1%, reflecting a low probability of exploitation, but a privileged attacker with the ROLE_ACCOUNT_MANAGER role can use the business‑logic API endpoints that accept metric filters to inject malicious SQL. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Billabear

80%

Version	Status	Scheme	Platform
`[0,Jan 2026)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BillaBear to a release issued on or after January 2026 to contain the patched EventRepository code.
Restrict users granted ROLE_ACCOUNT_MANAGER to only the minimal set of actions required for their duties, ideally removing the ability to apply arbitrary metric filters.
Implement server‑side validation and sanitization for all metric filter names and aggregation property identifiers, ensuring they are escaped or quoted properly before insertion into SQL statements.

Generated by OpenCVE AI on May 20, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xp6r-8pcc-xv5p	BillaBear is Vulnerable to SQL Injection in the EventRepository

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/nedlir/2377ba6e7fa2ad957210b52aa8e400d9
https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e
https://github.com/BillaBear/billabear

History

Wed, 20 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title	Unsanitized Metric Filters Enable SQL Injection in BillaBear EventRepository

Wed, 20 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Billabear Billabear billabear
Vendors & Products		Billabear Billabear billabear

Tue, 19 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Title		Unsanitized Metric Filters Enable SQL Injection in BillaBear EventRepository
Weaknesses		CWE-89

Tue, 19 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.
References		https://gist.github.com/nedlir/2377ba6e7fa2ad957210b52aa8e400d9 https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e https://github.com/BillaBear/billabear

Subscriptions

Billabear Billabear

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-19T00:00:00.000Z

Updated: 2026-05-20T13:50:15.527Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31069

Vulnrichment

Updated: 2026-05-20T13:50:10.890Z

NVD

Status : Deferred

Published: 2026-05-19T16:16:20.230

Modified: 2026-05-20T14:16:40.150

Link: CVE-2026-31069

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T16:00:06Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object