CVE-2026-4594 MEDIUM

CVE-2026-4594: erupts erupt EruptJpaUtils.java geneEruptHqlOrderBy sql injection

Vendor Erupts

Product erupt

Weakness CWE-564

Published March 23, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

March 23, 2026 CVE published

March 24, 2026 Record updated

Identifiers

CVE CVE-2026-4594

CWE CWE-564

CVSS 6.9 / MEDIUM

Affected versions

Vendor Erupts

Product erupt

Affected 1.13.0

Vendor Erupts

Product erupt

Affected 1.13.1

Vendor Erupts

Product erupt

Affected 1.13.2

Vendor Erupts

Product erupt

Affected 1.13.3