Critical severity9.8NVD Advisory· Published Aug 5, 2016· Updated May 6, 2026

CVE-2016-4999

Description

SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/91795nvdThird Party AdvisoryVDB Entry
access.redhat.com/errata/RHSA-2016:1428nvdVendor Advisory
access.redhat.com/errata/RHSA-2016:1429nvdVendor Advisory
github.com/dashbuilder/dashbuilder/commit/8574899e3b6455547b534f570b2330ff772e524bnvdThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdIssue Tracking
issues.jboss.org/browse/DASHBUILDE-113nvdPermissions Required

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000