Description
Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

Hydrosystem Control System suffers from widespread SQL injection across many scripts and input parameters. Because the application performs no input validation or parameterization, an attacker with valid user credentials can insert arbitrary SQL statements, allowing full read, write, and deletion of all data stored in the database, which compromises confidentiality, integrity and availability.

Affected Systems

Hydrosystem Control System is affected, with all releases prior to version 9.8.5 vulnerable. The fix was delivered in Hydrosystem Control System 9.8.5. All installations of earlier versions run at risk regardless of deployment environment.

Risk and Exploitability

The CVSS v3 score of 8.7 indicates high severity, and the flaw requires authentication, which limits exposure compared to unauthenticated vulnerabilities but still allows attackers who have compromised credentials or social engineered access to fully exploit the issue. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, but the high score underscores significant potential impact if an attacker can reach the input vectors.

Generated by OpenCVE AI on April 9, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hydrosystem Control System to version 9.8.5 or later.
  • Confirm that all installations are running the patched release.
  • Limit access to the control system to trusted network segments and enforce strong authentication.
  • Review database permissions to ensure least privilege for application accounts.
  • Monitor database logs for signs of unauthorized or abnormal SQL activity.

Generated by OpenCVE AI on April 9, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem.poznan
Hydrosystem.poznan control System
CPEs cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:*
Vendors & Products Hydrosystem.poznan
Hydrosystem.poznan control System
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Hydrosystem
Hydrosystem control System
Vendors & Products Hydrosystem
Hydrosystem control System

Thu, 09 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5
Title SQL Injection in Hydrosystem Control System
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Hydrosystem Control System
Hydrosystem.poznan Control System
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-09T11:45:33.927Z

Reserved: 2026-03-26T09:40:20.576Z

Link: CVE-2026-34185

cve-icon Vulnrichment

Updated: 2026-04-09T11:45:30.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T10:16:22.260

Modified: 2026-04-20T17:05:51.550

Link: CVE-2026-34185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:57Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')