CVE-2026-57587

Received Received - Intake

SQL Injection in Nessus Scanner

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Tenable Network Security, Inc.

Description

A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-25

Last Modified

2026-06-25

Generated

2026-06-25

AI Q&A

2026-06-25

EPSS Evaluated

N/A

NVD

CVE-2026-57587

EUVD

EUVD-2026-39408

Affected Vendors & Products

Vendor	Product	Version / Range
tenable	nessus	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The vulnerability allows a remote, unauthenticated attacker to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.

Such unauthorized data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access or disclosure.

However, there is no explicit information provided about the direct impact of this vulnerability on compliance with these standards.

Executive Summary

This vulnerability is a SQL injection issue in Nessus, a vulnerability scanning tool. It allows a remote, unauthenticated attacker who can control the reverse DNS records of a scanned host to inject malicious SQL commands into the scan results database.

By exploiting this, the attacker can manipulate the database that stores scan results, potentially leading to unauthorized access or modification of that data.

Impact Analysis

The primary impact of this vulnerability is the potential exfiltration of scan-result data from the Nessus database.

Since the attacker can inject SQL commands remotely without authentication, they might access sensitive information contained in the scan results, which could include details about vulnerabilities and configurations of scanned hosts.

Hi! I’m here to help you understand CVE-2026-57587. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-57587

SQL Injection in Nessus Scanner

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart