Description
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
Published: 2026-03-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A SQL Injection flaw in the system configuration module of Nefteprodukttekhnika LLC's BUK TS-G Gas Station Automation System allows attackers to inject arbitrary SQL statements via the sql parameter of POST requests to /php/request.php. This weakness, classified as CWE-89, can lead to the execution of arbitrary database commands and potentially remote code execution if the database actions influence the operating system or application logic.

Affected Systems

The vulnerability affects Nefteprodukttekhnika LLC’s BUK TS-G Gas Station Automation System, version 2.9.1, running on Linux. Users of this version should verify their installation on the specified platform.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely over the network by sending crafted HTTP POST requests, indicating a remote attack vector with no local privilege or authentication requirements.

Generated by OpenCVE AI on April 16, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of BUK TS-G Gas Station Automation System that contains the fix for the SQL injection issue.
  • Restrict external access to the /php/request.php endpoint by configuring firewalls or access control lists to allow only trusted IP addresses.
  • Implement input validation or switch to parameterized queries in the configuration module if custom development is feasible, addressing the underlying CWE‑89 weakness.

Generated by OpenCVE AI on April 16, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nefteprodukttekhnika Llc
Nefteprodukttekhnika Llc buk Ts-g Gas Station Automation System
Vendors & Products Nefteprodukttekhnika Llc
Nefteprodukttekhnika Llc buk Ts-g Gas Station Automation System

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description SQL Injection (CWE-89) in the system configuration module in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux allows remote attackers to execute arbitrary SQL commands and potentially achieve remote code execution via specially crafted SQL requests. Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}

 cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Tue, 10 Mar 2026 11:30:00 +0000

Type Values Removed Values Added
Description SQL Injection (CWE-89) in the system configuration module in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux allows remote attackers to execute arbitrary SQL commands and potentially achieve remote code execution via specially crafted SQL requests.
Title SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution
Weaknesses CWE-89
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nefteprodukttekhnika Llc Buk Ts-g Gas Station Automation System
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-03-10T14:10:41.086Z

Reserved: 2026-03-09T18:20:17.516Z

Link: CVE-2026-3843

cve-icon Vulnrichment

Updated: 2026-03-10T13:48:49.936Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:19:05.287

Modified: 2026-03-11T13:53:20.707

Link: CVE-2026-3843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses