{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3843", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-09T18:20:17.516Z", "datePublished": "2026-03-10T11:07:07.393Z", "dateUpdated": "2026-03-10T14:10:41.086Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-10T14:10:41.086Z"}, "title": "SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Nefteprodukttekhnika LLC", "product": "BUK TS-G Gas Station Automation System", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "2.9.1", "lessThan": "2.10.2", "versionType": "semver"}, {"status": "unaffected", "version": "2.10.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&amp;sql=&lt;query_here&gt;&amp;reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.</p>"}]}], "references": [{"url": "https://bukts.ru/repo-bukts-current"}, {"url": "https://bdu.fstec.ru/vul/2025-13914"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}], "credits": [{"lang": "en", "value": "Yergashvoyev Jamshed (CVE GUY)", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:48:47.389155Z", "id": "CVE-2026-3843", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:48:53.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3843", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T13:48:47.389155Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:48:49.936Z"}}], "cna": {"title": "SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yergashvoyev Jamshed (CVE GUY)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Nefteprodukttekhnika LLC", "product": "BUK TS-G Gas Station Automation System", "versions": [{"status": "affected", "version": "2.9.1", "lessThan": "2.10.2", "versionType": "semver"}, {"status": "unaffected", "version": "2.10.2", "versionType": "semver"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://bukts.ru/repo-bukts-current"}, {"url": "https://bdu.fstec.ru/vul/2025-13914"}], "x_generator": {"engine": "Vulnogram"}, "descriptions": [{"lang": "en", "value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.", "supportingMedia": [{"type": "text/html", "value": "<p>Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&amp;sql=&lt;query_here&gt;&amp;reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-10T14:10:41.086Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3843", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:10:41.086Z", "dateReserved": "2026-03-09T18:20:17.516Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-03-10T11:07:07.393Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bukts:buk_ts-g_gas_station_automation_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "69C3CC31-965C-4DF5-832A-50F4D962CA27", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution."}, {"lang": "es", "value": "Nefteprodukttekhnika BUK TS-G Sistema de Automatizaci\u00f3n de Estaciones de Servicio 2.9.1 en Linux contiene una vulnerabilidad de inyecci\u00f3n SQL (CWE-89) en el m\u00f3dulo de configuraci\u00f3n del sistema. Un atacante remoto puede enviar solicitudes HTTP POST especialmente dise\u00f1adas al endpoint /php/request.php a trav\u00e9s del par\u00e1metro sql en datos application/x-www-form-urlencoded (e.g., action=do&amp;sql=&amp;reload_driver=0) para ejecutar comandos SQL arbitrarios y potencialmente lograr ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-3843", "lastModified": "2026-05-07T20:34:27.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-03-10T18:19:05.287", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Broken Link"], "url": "https://bdu.fstec.ru/vul/2025-13914"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Broken Link"], "url": "https://bukts.ru/repo-bukts-current"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2.9.1,2.10.2)"}}, {"platform": ["linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "2.10.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BUK TS-G Gas Station Automation System", "source": "cna", "vendor": "Nefteprodukttekhnika LLC"}, "product": "buk_ts-g_gas_station_automation_system", "vendor": "nefteprodukttekhnika_llc"}], "analysis": {"en": {"generated_at": "2026-04-16T09:51:40.538575+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest release of BUK TS-G Gas Station Automation System that contains the fix for the SQL injection issue. ", "Restrict external access to the /php/request.php endpoint by configuring firewalls or access control lists to allow only trusted IP addresses. ", "Implement input validation or switch to parameterized queries in the configuration module if custom development is feasible, addressing the underlying CWE\u201189 weakness."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Nefteprodukttekhnika LLC\u2019s BUK TS-G Gas Station Automation System, version 2.9.1, running on Linux. Users of this version should verify their installation on the specified platform.", "description_and_impact": "A SQL Injection flaw in the system configuration module of Nefteprodukttekhnika LLC's BUK TS-G Gas Station Automation System allows attackers to inject arbitrary SQL statements via the sql parameter of POST requests to /php/request.php. This weakness, classified as CWE-89, can lead to the execution of arbitrary database commands and potentially remote code execution if the database actions influence the operating system or application logic.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely over the network by sending crafted HTTP POST requests, indicating a remote attack vector with no local privilege or authentication requirements."}}}}, "created": "2026-03-11T11:50:18.258979+00:00", "updated": "2026-04-16T10:00:14.066557+00:00", "vendors": ["nefteprodukttekhnika_llc", "nefteprodukttekhnika_llc$PRODUCT$buk_ts-g_gas_station_automation_system"]}