CVE-2026-10880
Awaiting Analysis Awaiting Analysis - Queue
SQL Injection in QuantaStor SDS Manager

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Black Lantern Security

Description
OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-26
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10880
EUVD
EUVD-2026-34305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osnexus quantastor to 6.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10880 is an unauthenticated SQL injection vulnerability in the OSNexus QuantaStor SDS Manager, specifically affecting the login endpoint. The username field is not properly sanitized before being used in a SQL query, which allows a remote attacker to inject malicious SQL code.

This flaw enables an attacker to bypass authentication and log in as an administrator without needing a valid password. Additionally, attackers can exploit blind SQL injection techniques to extract sensitive data such as administrator password hashes by analyzing error messages returned from the system.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and gain administrator access, potentially exposing sensitive data stored within the system.

Such unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, this vulnerability poses a significant risk to compliance with these standards by undermining the confidentiality, integrity, and availability of protected data.

Impact Analysis

This vulnerability can have severe impacts including unauthorized administrative access to the affected system. An attacker can bypass login controls, gaining full administrative privileges without valid credentials.

With administrative access, the attacker can manipulate, steal, or destroy sensitive data, disrupt system operations, and potentially use the compromised system as a foothold for further attacks within the network.

The CVSS score of 9.8 indicates a critical severity, highlighting the high risk and potential damage from exploitation.

Detection Guidance

This vulnerability can be detected by testing the login endpoint's username field for SQL injection. An attacker or tester can inject SQL payloads into the username field to observe if authentication can be bypassed or if error messages reveal database information.

Detection involves sending crafted requests to the login form with SQL injection payloads in the username field and analyzing the responses for authentication bypass or error-based information leakage.

  • Use tools like sqlmap or manual curl commands to inject SQL payloads into the username parameter of the login endpoint.
  • Example curl command to test for SQL injection (replace <URL> with the target login endpoint):
  • curl -X POST <URL> -d 'username=admin' OR '1'='1' --data-urlencode 'password=anything'
  • Observe if authentication is bypassed or if error messages differ when injecting different payloads.
Mitigation Strategies

Immediate mitigation steps include restricting access to the login endpoint, applying input validation and sanitization on the username field to prevent SQL injection, and updating the software to a patched version once available.

Until a patch is applied, consider implementing network-level protections such as firewall rules or web application firewalls (WAF) to block malicious SQL injection attempts targeting the login endpoint.

Additionally, monitor logs for suspicious login attempts or unusual error messages that may indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart