CVE-2026-2235
Description
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in HGiga C&Cm@il allows attackers to read arbitrary database contents.
Vulnerability
Details
CVE-2026-2235 is a SQL Injection vulnerability found in the C&Cm@il package by HGiga, specifically in versions of olln-base prior to 7.0-978 [1][2]. The vulnerability stems from improper handling of user input within authenticated areas of the application, allowing an attacker to inject arbitrary SQL commands [1][2].
Attack
Vector
The attack requires authentication; an attacker must have valid credentials to the C&Cm@il system [1][2]. Once authenticated, the attacker can exploit the vulnerability remotely over the network without any additional privileges [1][2]. This makes it distinct from CVE-2026-2236, which does not require authentication [1][2].
Impact
A successful exploit allows the attacker to read database contents, leading to confidential information disclosure [1][2]. The CVSS v3 score is 6.5 (Medium), with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [1][2], reflecting a limited impact on integrity and availability but a high impact on confidentiality.
Mitigation
HGiga has released a fix in olln-base version 7.0-978 or later [1][2]. Users should update to this version or later to remediate the vulnerability. No workarounds are currently documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.