CVE-2026-3843

Received Received - Intake

SQL Injection in Nefteprodukttekhnika BUK TS-G Enables RCE

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-10

Last Modified

2026-03-10

Generated

2026-05-07

AI Q&A

2026-03-10

EPSS Evaluated

2026-05-05

NVD

CVE-2026-3843

EUVD

EUVD-2026-10492

Affected Vendors & Products

Vendor	Product	Version / Range
nefteprodukttekhnika	buk_ts-g_gas_station_automation_system	2.9.1

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

The vulnerability is a SQL Injection (CWE-89) found in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 running on Linux. It exists in the system configuration module where a remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint. By manipulating the sql parameter in the application/x-www-form-urlencoded data, the attacker can execute arbitrary SQL commands.

This can potentially allow the attacker to perform unauthorized actions on the database, including remote code execution.

How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows a remote attacker to execute arbitrary SQL commands without any authentication or user interaction.

Unauthorized access to sensitive data stored in the database.
Modification or deletion of critical data.
Potential remote code execution, which could lead to full system compromise.
Disruption of gas station automation system operations.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

What immediate steps should I take to mitigate this vulnerability?

I don't know

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-3843

SQL Injection in Nefteprodukttekhnika BUK TS-G Enables RCE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart