An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication.
References
Link | Resource |
---|---|
https://seclists.org/fulldisclosure/2025/May/21 | Mailing List |
http://seclists.org/fulldisclosure/2025/May/21 | Mailing List |
Configurations
History
12 Jun 2025, 16:20
Type | Values Removed | Values Added |
---|---|---|
First Time |
Rsiqueue management System
Rsiqueue |
|
References | () https://seclists.org/fulldisclosure/2025/May/21 - Mailing List | |
References | () http://seclists.org/fulldisclosure/2025/May/21 - Mailing List | |
CPE | cpe:2.3:a:rsiqueue:management_system:3.0:*:*:*:*:*:*:* | |
Summary |
|
20 May 2025, 16:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-89 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
20 May 2025, 15:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-05-20 15:16
Updated : 2025-06-12 16:20
NVD link : CVE-2025-26086
Mitre link : CVE-2025-26086
CVE.ORG link : CVE-2025-26086
JSON object : View
Products Affected
rsiqueue
- management_system
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')