CVE-2025-34136
Description
An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection vulnerability in Commvault's Web Server component allows remote attackers to execute arbitrary SQL commands, affecting multiple versions.
An SQL injection vulnerability exists in the Commvault Web Server component, affecting versions 11.32.0 through 11.32.93, 11.36.0 through 11.36.51, and 11.38.0 through 11.38.19 [1][2]. The flaw resides in the CommServe and Web Server roles, and no authentication is required to exploit it [1].
A remote, unauthenticated attacker can send specially crafted SQL queries to the Web Server, bypassing input validation. The vulnerability does not affect other Commvault components deployed in the same environment [1].
Successful exploitation allows an attacker to read, modify, or delete database contents, potentially compromising data confidentiality and integrity. The advisory assigns a CVSS v3.1 base score of 5.5 (Medium) [1][2].
Commvault has released patches in versions 11.32.94, 11.36.52, and 11.38.20. Users are advised to upgrade to these or later versions to mitigate the risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=11.32.0 <=11.32.93 / >=11.36.0 <=11.36.51 / >=11.38.0 <=11.38.19
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.