CVE-2026-22197
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gestsup | gestsup | to 3.2.56 (inc) |
| gestsup | gestsup | From 3.2.45 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22197 is a set of multiple SQL injection vulnerabilities in GestSup versions up to 3.2.56, specifically in the asset list functionality. Several request parameters used to filter, search, or sort assets are directly included in SQL queries without proper sanitization, allowing an authenticated attacker to manipulate these queries. This can lead to unauthorized access or modification of the database depending on the attacker's database privileges. [2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an authenticated attacker to manipulate database queries, potentially resulting in unauthorized access to sensitive data or unauthorized modification of database contents. The impact includes high confidentiality, integrity, and availability risks to the database, depending on the privileges of the attacker within the database. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL injection vulnerability involves monitoring and analyzing requests to the asset list functionality for suspicious input patterns in filtering, searching, or sorting parameters that could manipulate SQL queries. Since the vulnerability requires authentication, review authenticated requests for unusual or malformed parameters that could indicate SQL injection attempts. Specific commands are not provided in the resources, but typical approaches include using web application firewalls (WAF) with SQLi detection rules, inspecting logs for SQL error messages, or employing automated vulnerability scanners targeting SQL injection in authenticated sessions. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading GestSup to a version later than 3.2.56 where the vulnerability is fixed. If an upgrade is not immediately possible, restrict access to the asset list functionality to trusted users only, enforce strong authentication and authorization controls, and monitor for suspicious activity. Additionally, applying web application firewall rules to detect and block SQL injection attempts can help reduce risk until a patch is applied. [2]