{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1517", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-28T06:31:08.514Z", "datePublished": "2026-02-05T12:02:06.834Z", "dateUpdated": "2026-02-23T09:18:49.693Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:18:49.693Z"}, "title": "iomad Company Admin Block sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "n/a", "product": "iomad", "versions": [{"version": "3.1", "status": "affected"}, {"version": "3.2", "status": "affected"}, {"version": "3.3", "status": "affected"}, {"version": "3.4", "status": "affected"}, {"version": "3.5", "status": "affected"}, {"version": "3.6", "status": "affected"}, {"version": "3.7", "status": "affected"}, {"version": "3.8", "status": "affected"}, {"version": "3.9", "status": "affected"}, {"version": "3.10", "status": "affected"}, {"version": "3.11", "status": "affected"}, {"version": "4.0", "status": "affected"}, {"version": "4.1", "status": "affected"}, {"version": "4.2", "status": "affected"}, {"version": "4.3", "status": "affected"}, {"version": "4.4", "status": "affected"}, {"version": "4.5", "status": "affected"}, {"version": "5.0", "status": "affected"}], "modules": ["Company Admin Block"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-18T01:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-21T01:00:00.000Z", "lang": "en", "value": "Vendor acknowledged"}, {"time": "2026-01-27T21:29:20.000Z", "lang": "en", "value": "Countermeasure disclosed"}, {"time": "2026-02-05T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-06T05:29:02.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Vaibhav Gupta (Appfend Technologies Limited)", "type": "finder"}, {"lang": "en", "value": "VulDB GitHub Analyzer", "type": "tool"}], "references": [{"url": "https://vuldb.com/?id.344487", "name": "VDB-344487 | iomad Company Admin Block sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344487", "name": "VDB-344487 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/iomad/iomad/issues/2559", "tags": ["issue-tracking"]}, {"url": "https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/iomad/iomad/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:08:44.280170Z", "id": "CVE-2026-1517", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:08:51.273Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:08:44.280170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:08:47.965Z"}}], "cna": {"title": "iomad Company Admin Block sql injection", "credits": [{"lang": "en", "type": "finder", "value": "Vaibhav Gupta (Appfend Technologies Limited)"}, {"lang": "en", "type": "tool", "value": "VulDB GitHub Analyzer"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["Company Admin Block"], "product": "iomad", "versions": [{"status": "affected", "version": "3.1"}, {"status": "affected", "version": "3.2"}, {"status": "affected", "version": "3.3"}, {"status": "affected", "version": "3.4"}, {"status": "affected", "version": "3.5"}, {"status": "affected", "version": "3.6"}, {"status": "affected", "version": "3.7"}, {"status": "affected", "version": "3.8"}, {"status": "affected", "version": "3.9"}, {"status": "affected", "version": "3.10"}, {"status": "affected", "version": "3.11"}, {"status": "affected", "version": "4.0"}, {"status": "affected", "version": "4.1"}, {"status": "affected", "version": "4.2"}, {"status": "affected", "version": "4.3"}, {"status": "affected", "version": "4.4"}, {"status": "affected", "version": "4.5"}, {"status": "affected", "version": "5.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-18T01:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-21T01:00:00.000Z", "value": "Vendor acknowledged"}, {"lang": "en", "time": "2026-01-27T21:29:20.000Z", "value": "Countermeasure disclosed"}, {"lang": "en", "time": "2026-02-05T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-06T05:29:02.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344487", "name": "VDB-344487 | iomad Company Admin Block sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344487", "name": "VDB-344487 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/iomad/iomad/issues/2559", "tags": ["issue-tracking"]}, {"url": "https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/iomad/iomad/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:18:49.693Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1517", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:18:49.693Z", "dateReserved": "2026-01-28T06:31:08.514Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-05T12:02:06.834Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en iomad hasta 5.0. Afecta a una funci\u00f3n desconocida del componente Company Admin Block. Dicha manipulaci\u00f3n conduce a inyecci\u00f3n SQL. El ataque puede ser ejecutado remotamente. Es una buena pr\u00e1ctica aplicar un parche para resolver este problema."}], "id": "CVE-2026-1517", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-05T12:15:59.930", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/iomad/iomad/"}, {"source": "cna@vuldb.com", "url": "https://github.com/iomad/iomad/issues/2559"}, {"source": "cna@vuldb.com", "url": "https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.344487"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.344487"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:26:01.297470+00:00", "value": {"mitigation_remediation": ["Apply the latest iomad update that fixes the Company Admin Block injection issue, ensuring the software version exceeds\u00a05.0.", "Restrict external network access to the iomad instance by placing it behind a firewall and limiting connections to trusted administrative networks only.", "Implement proper input validation and use parameterized queries for any database interactions in the Company Admin Block, following secure coding practices to prevent injection."], "summary": {"action": "Apply Patch", "impact": "Unauthorized database manipulation via SQL injection"}, "threat_synthesis": {"affected_systems": "The flaw is present in iomad releases up to and including version\u00a05.0. All customers using these versions, regardless of their deployment size or operating system, are potentially exposed when the affected component is reachable from the network. No specific operating system or platform information is supplied, so the risk applies to any environment running a vulnerable instance of iomad.", "description_and_impact": "The vulnerability resides in an undocumented function of iomad\u2019s Company Admin Block. Malicious input that is not properly sanitized can be used to inject arbitrary SQL statements, allowing an attacker to read, modify or delete data from the database. The flaw is a classic example of an Insecure Direct Object Reference problem (CWE\u201174) compounded by a traditional SQL injection (CWE\u201189), which can compromise the confidentiality and integrity of the application data.", "risk_and_exploitability": "The CVSS score of\u00a05.1 indicates a moderate severity, while the EPSS score of less than\u00a01% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is remote; an attacker must connect to the system over the network to submit the malicious input. Because no authentication or privilege requirements are explicitly stated in the CVE data, the exploit is assumed to be possible against any user who can access the vulnerable functionality."}}}}, "created": "2026-02-06T12:05:38.068853+00:00", "updated": "2026-04-18T18:30:07.290429+00:00", "vendors": ["iomad", "iomad$PRODUCT$company_admin_block"]}