Description
Corteza contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8.
Published: 2026-05-11
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Corteza 2024.9.8 contains a SQL injection vulnerability that occurs when filtering Compose records by the meta field in its Microsoft SQL Server backend. The flaw arises from incorrect T‑SQL string escaping, allowing an attacker to inject arbitrary SQL code. This can result in unauthorized read or write operations on the database, potentially exposing sensitive business or user data and enabling further compromise of the application.

Affected Systems

The affected product is Corteza version 2024.9.8. This impact applies to installations running on Linux, macOS, or Windows platforms as indicated by the provided CPE strings.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity, and the EPSS score is currently not available, meaning the publicly reported exploitation probability is unclear. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw relies on an incorrect string escape in a database query, an attacker who can influence the meta filter value—likely via a user-supplied input—can exploit the injection. Successful exploitation would allow data exfiltration or modification of data stored in the Composes table.

Generated by OpenCVE AI on May 11, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Corteza to a patched version that fixes the SQL injection issue, for example any release after 2024.9.8.
  • If the patch is not immediately available, configure the application to reject or escape the meta filter input to prevent SQL injection, such as by implementing input validation rules that strip or encode characters like single quotes and semicolons.
  • Monitor database query logs for anomalous activity related to the COMPOSES table and investigate any suspicious SQL statements that contain unescaped user input.

Generated by OpenCVE AI on May 11, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Corteza contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8.
Title Corteza 2024.9.8 - SQL Injection in MSSQL JSON-path meta filter via incorrect T-SQL string escaping
First Time appeared Cortezaproject
Cortezaproject corteza
Weaknesses CWE-89
CPEs cpe:2.3:a:cortezaproject:corteza:2024.9.8:*:linux:*:*:*:*:*
cpe:2.3:a:cortezaproject:corteza:2024.9.8:*:macos:*:*:*:*:*
cpe:2.3:a:cortezaproject:corteza:2024.9.8:*:windows:*:*:*:*:*
Vendors & Products Cortezaproject
Cortezaproject corteza
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cortezaproject Corteza
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-05-11T19:26:53.093Z

Reserved: 2026-04-10T16:08:10.755Z

Link: CVE-2026-6093

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:36.800

Modified: 2026-05-12T18:56:44.480

Link: CVE-2026-6093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:12Z

Weaknesses