sql-injection - TrustStrike Labs

vulnerability

CVE-2026-34263 CVE-2026-34260 CVE-2026-34259

2026-05-13

SAP patches two critical CVSS 9.6 flaws in Commerce Cloud and S/4HANA - the ERP and e-commerce platforms behind most large retailers and global enterprises (CVE-2026-34263, CVE-2026-34260)

SAP's May Patch Day included two CVSS 9.6 critical flaws. CVE-2026-34263 in Commerce Cloud is a missing authentication check from improperly ordered Spring Security rules - unauthenticated attackers can upload configurations and inject code. CVE-2026-34260 in S/4HANA is a SQL injection in the ABAP Enterprise Search component that lets low-privilege authenticated users steal sensitive database records. Both land less than two weeks after four SAP npm packages were hit in the Mini Shai-Hulud attack, putting SAP customers under compounding patch pressure.

sap commerce-cloud s-4hana erp sql-injection missing-auth cvss-9-6 onapsis

Check: Inventory SAP Commerce Cloud and S/4HANA instances. Check note application status in Solution Manager or SAP Support Portal. Search application logs for unusual configuration upload attempts.
Affected: SAP Commerce Cloud (all on-prem before patch) - CVE-2026-34263, CVSS 9.6. S/4HANA with ABAP Enterprise Search enabled - CVE-2026-34260, CVSS 9.6. Internet-facing Commerce Cloud is at acute risk.
Fix: Apply SAP Security Notes 3733064 (Commerce Cloud) and 3724838 (S/4HANA). Restrict Commerce Cloud admin endpoints to trusted IPs. Audit Enterprise Search query logs for SQL injection signatures.

vulnerability

CVE-2026-24898 CVE-2026-24908 CVE-2026-23627 CVE-2026-24487

2026-04-29

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

openemr aisle ai-security healthcare ehr sql-injection unauthenticated 100k-providers 200m-patients hipaa

Check: If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected: OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix: Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

vulnerability

CVE-2026-42208

2026-04-28

Hackers raced to exploit a critical LiteLLM flaw 36 hours after disclosure - any attacker who could reach the proxy could read all stored AI API keys (CVE-2026-42208)

LiteLLM, the popular open-source gateway used to centralize API access for OpenAI, Anthropic, and other AI providers, has a critical pre-authentication SQL injection bug that attackers started exploiting just 36 hours after the security advisory went public. The flaw lets anyone who can reach the proxy port read all the API keys stored inside - including master keys, virtual keys, and provider credentials. The bug was in the bearer-token check: the token was concatenated into a SQL query instead of passed as a parameter. Sysdig saw the first attack at 04:24 UTC on April 26, hitting three tables that hold the most valuable secrets.

litellm ai-gateway sql-injection pre-auth openai anthropic credential-theft sysdig actively-exploited

Check: If you run any internet-facing LiteLLM proxy, patch to v1.83.7-stable today and treat every API key, virtual key, and stored provider credential as compromised.
Affected: LiteLLM versions 1.81.16 through 1.83.6, internet-reachable on the default proxy port. CVE-2026-42208, CVSS 9.3, pre-auth SQL injection. Blast radius is closer to a full cloud account compromise than a typical web app bug because LiteLLM holds OpenAI, Anthropic, and AWS Bedrock credentials.
Fix: Patch to LiteLLM v1.83.7-stable. If you can't upgrade, set 'disable_error_logs: true' under 'general_settings' as a workaround. Rotate every virtual key, master key, and upstream provider credential. Audit upstream provider billing for unexpected API calls since April 24. Block traffic from 65.111.27.132 and 65.111.25.67 (AS200373).

vulnerability

CVE-2026-21643

2026-03-30

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

fortinet forticlient-ems sql-injection rce actively-exploited

Check: Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected: FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix: Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.