CVE-2026-10880
SQL Injection in QuantaStor SDS Manager
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Black Lantern Security
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osnexus | quantastor | to 6.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to bypass authentication and gain administrator access, potentially exposing sensitive data stored within the system.
Such unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Therefore, this vulnerability poses a significant risk to compliance with these standards by undermining the confidentiality, integrity, and availability of protected data.
Can you explain this vulnerability to me?
CVE-2026-10880 is an unauthenticated SQL injection vulnerability in the OSNexus QuantaStor SDS Manager, specifically affecting the login endpoint. The username field is not properly sanitized before being used in a SQL query, which allows a remote attacker to inject malicious SQL code.
This flaw enables an attacker to bypass authentication and log in as an administrator without needing a valid password. Additionally, attackers can exploit blind SQL injection techniques to extract sensitive data such as administrator password hashes by analyzing error messages returned from the system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized administrative access to the affected system. An attacker can bypass login controls, gaining full administrative privileges without valid credentials.
With administrative access, the attacker can manipulate, steal, or destroy sensitive data, disrupt system operations, and potentially use the compromised system as a foothold for further attacks within the network.
The CVSS score of 9.8 indicates a critical severity, highlighting the high risk and potential damage from exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the login endpoint's username field for SQL injection. An attacker or tester can inject SQL payloads into the username field to observe if authentication can be bypassed or if error messages reveal database information.
Detection involves sending crafted requests to the login form with SQL injection payloads in the username field and analyzing the responses for authentication bypass or error-based information leakage.
- Use tools like sqlmap or manual curl commands to inject SQL payloads into the username parameter of the login endpoint.
- Example curl command to test for SQL injection (replace <URL> with the target login endpoint):
- curl -X POST <URL> -d 'username=admin' OR '1'='1' --data-urlencode 'password=anything'
- Observe if authentication is bypassed or if error messages differ when injecting different payloads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the login endpoint, applying input validation and sanitization on the username field to prevent SQL injection, and updating the software to a patched version once available.
Until a patch is applied, consider implementing network-level protections such as firewall rules or web application firewalls (WAF) to block malicious SQL injection attempts targeting the login endpoint.
Additionally, monitor logs for suspicious login attempts or unusual error messages that may indicate exploitation attempts.