CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26086: An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request...

Description

An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication.

Classification

CVE ID: CVE-2025-26086

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.17% (probability of being exploited)

EPSS Percentile: 39.48% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26086
https://seclists.org/fulldisclosure/2025/May/21

Timeline

2025-05-20 15:40:16 UTC
CVE

An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request...