Description
An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (6.4 Medium). This issue was fixed in version 4.0.260123.1 of the runZero Platform.
Published: 2026-04-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data confidentiality, integrity, and availability compromise
Action: Patch Immediately
AI Analysis

Impact

An SQL injection flaw exists in runZero Platform’s saved queries feature, first appearing in release 4.0.260123.0. The vulnerability allows an attacker to inject arbitrary SQL commands through manipulated query parameters. As a result, the attacker could read, modify, or delete records in the platform’s database, directly impacting confidentiality, integrity, and availability of the stored data. This weakness maps to CWE‑89 and carries a CVSS v3.1 score of 6.4, indicating medium severity.

Affected Systems

The affected product is runZero Platform. Versions prior to 4.0.260123.1 contain the vulnerability; the issue was addressed and fixed in release 4.0.260123.1. Users running the earlier build, particularly 4.0.260123.0, must upgrade to the patched version to eliminate the risk.

Risk and Exploitability

The medium CVSS score reflects a reasonable risk level, but the lack of EPSS data or KEV listing suggests exploitation may not be widespread yet. The likely attack vector requires authenticated access that permits creation or editing of saved queries—typically through the web UI or API. When an attacker supplies a crafted query, the unsanitized input is executed against the database, potentially exposing or tampering with sensitive information.

Generated by OpenCVE AI on April 7, 2026 at 21:05 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260123.1 of the runZero Platform

OpenCVE Recommended Actions

  • Update runZero Platform to version 4.0.260123.1 or later

Generated by OpenCVE AI on April 7, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero runzero Platform
CPEs cpe:2.3:a:runzero:runzero_platform:4.0.260123.0:*:*:*:*:*:*:*
Vendors & Products Runzero runzero Platform

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (6.4 Medium). This issue was fixed in version 4.0.260123.1 of the runZero Platform.
Title runZero Platform SQL injection in saved queries
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T14:50:25.766Z

Reserved: 2026-04-01T19:51:10.741Z

Link: CVE-2026-5372

cve-icon Vulnrichment

Updated: 2026-04-07T14:44:19.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:46.973

Modified: 2026-04-21T15:06:58.003

Link: CVE-2026-5372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:21Z

Weaknesses