CVE-2026-10880

Vulnerability

OSNexus QuantaStor SDS Manager versions up to and including 6.6.1 are vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized, allowing an unauthenticated remote attacker to inject SQL code before authentication. [1]

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by submitting a crafted SQL payload into the username field on the login page. The specific behavior and impact can vary depending on whether the default administrator password has been changed. If the default password is still in use, the attacker can log in with default credentials or bypass authentication via SQL injection. If the password has been changed, the SQL injection can be used as a blind SQL injection to infer database values. [1]

Impact

Successful exploitation allows an attacker to bypass authentication and log in as an administrator without needing a valid password. This grants the attacker full administrative control over the OSNexus QuantaStor SDS Manager, potentially leading to unauthorized access, modification, or deletion of storage management configurations and data. [1]

Mitigation

OSNexus QuantaStor SDS Manager versions 6.6.1 and earlier are affected. A fixed version is available, which is version 6.7.0, released on May 28, 2026. Users are advised to upgrade to version 6.7.0 or later to address this vulnerability. [1]