216.73.217.64

CVE-2026-31069

· Published 19/05/2026 16:16 · Modified 20/05/2026 14:16

Labels: CVE-2026-31069 2026-05-19CVE-2026-31069CWE-89[email protected]

Essential information

Published
19/05/2026 16:16
Modified
20/05/2026 14:16
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
billabear / billabear cpe:2.3:a:billabear:billabear:*:*:*:*:*:*:*:*

References