GCVE-1-2026-0031

PUBLISHED
Published: 29 Apr 2026, 20:14
Last modified:29 Apr 2026, 20:14

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.4 CRITICAL
v4.0 (gcve)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 Apr 2026, 20:14
Published
Vulnerability first disclosed

Description

A SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. The issue was fixed by removing direct use of the user-supplied order parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only.

CVSS Metrics

  • v4.0CRITICALScore: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Affected Systems

  • mispmisp

    < 2.5.37

References (1)