CVE-2026-34185
SQL Injection in Hydrosystem Control System Allows Full DB Control
Publication date: 2026-04-09
Last updated on: 2026-04-20
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hydrosystem.poznan | control_system | to 9.8.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Hydrosystem Control System has a vulnerability related to SQL Injection present in most of its scripts and input parameters.
Because there are no protections in place, an authenticated attacker can inject arbitrary SQL commands into the system.
This can potentially allow the attacker to gain full control over the database.
The issue was fixed in version 9.8.5 of the Hydrosystem Control System.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an authenticated attacker to execute arbitrary SQL commands.
Such control can lead to unauthorized access, modification, or deletion of sensitive data stored in the database.
It may also allow the attacker to compromise the integrity and availability of the system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Hydrosystem Control System is fixed in version 9.8.5.
Immediate mitigation should include upgrading the Hydrosystem Control System to version 9.8.5 or later to address the SQL Injection vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to perform SQL Injection, potentially gaining full control over the database. This could lead to unauthorized access, modification, or disclosure of sensitive data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.
However, the provided information does not explicitly state the impact on compliance with these standards.