Description
CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Published: 2026-05-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CTMS developed by Sunnet contains a SQL Injection vulnerability that allows an authenticated remote attacker to inject arbitrary SQL commands. This flaw enables the attacker to read sensitive information, alter database records, or delete data entirely. The weakness is classified as CWE-89, reflecting unsanitized input in database queries.

Affected Systems

Sunnet CTMS is identified as the affected product. No specific version details are currently available, meaning every release of the CTMS software may be vulnerable until Sunnet releases a fix.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known active exploits. The attack vector is authenticated remote, requiring the attacker to be logged in to the application. Once authenticated, the attacker can execute arbitrary SQL commands, leading to data compromise. The absence of an immediate patch increases the risk for systems that have not yet updated.

Generated by OpenCVE AI on May 2, 2026 at 11:28 UTC.

Remediation

Vendor Solution

The vendor should have issued a patch. If not yet received, please reach out to the vendor directly.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or update for Sunnet CTMS that addresses the SQL injection.
  • If no patch is currently available, contact Sunnet immediately to request a fix or interim mitigation steps.
  • Limit the database permissions granted to the CTMS application account, granting only the minimum privileges required for normal operation to constrain potential damage from a successful injection.

Generated by OpenCVE AI on May 2, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sun.net
Sun.net ehrd Ctms
CPEs cpe:2.3:a:sun.net:ehrd_ctms:*:*:*:*:*:*:*:*
Vendors & Products Sun.net
Sun.net ehrd Ctms

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Sunnet
Sunnet ctms
Vendors & Products Sunnet
Sunnet ctms

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 02 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Title Sunnet|CTMS - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sun.net Ehrd Ctms
Sunnet Ctms
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-04T13:42:08.020Z

Reserved: 2026-04-30T09:01:04.104Z

Link: CVE-2026-7489

cve-icon Vulnrichment

Updated: 2026-05-04T13:42:04.143Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-02T10:16:18.803

Modified: 2026-05-12T18:31:55.223

Link: CVE-2026-7489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:29Z

Weaknesses