CVE-2026-3843

Analyzed Analyzed - Analysis Complete

SQL Injection in Nefteprodukttekhnika BUK TS-G Enables RCE

Publication date: 2026-03-10

Last updated on: 2026-05-07

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-10

Last Modified

2026-05-07

Generated

2026-06-16

AI Q&A

2026-03-10

EPSS Evaluated

2026-06-15

NVD

CVE-2026-3843

EUVD

EUVD-2026-10492

Affected Vendors & Products

Vendor	Product	Version / Range
bukts	buk_ts-g_gas_station_automation_system	From 2.9.1 (inc) to 2.10.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The vulnerability is a SQL Injection (CWE-89) found in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 running on Linux. It exists in the system configuration module where a remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint. By manipulating the sql parameter in the application/x-www-form-urlencoded data, the attacker can execute arbitrary SQL commands.

This can potentially allow the attacker to perform unauthorized actions on the database, including remote code execution.

Impact Analysis

This vulnerability can have severe impacts as it allows a remote attacker to execute arbitrary SQL commands without any authentication or user interaction.

Unauthorized access to sensitive data stored in the database.
Modification or deletion of critical data.
Potential remote code execution, which could lead to full system compromise.
Disruption of gas station automation system operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-3843. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-3843

SQL Injection in Nefteprodukttekhnika BUK TS-G Enables RCE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart