CVE-2026-30711

Vulnerability

Details

CVE-2026-30711 describes multiple authenticated SQL injection vulnerabilities discovered in Devome GRR version 4.5.0. The flaws are located in the include/session.inc.php file, where the HTTP referer and user-agent headers are incorporated into SQL queries without proper sanitization or parameterization. This allows an authenticated attacker to inject arbitrary SQL commands by crafting malicious values in these headers [1].

Exploitation

Conditions

An attacker must first have a valid authenticated session with the GRR application. The attack does not require special privileges; any authenticated user can exploit the injection points. The attacker can manipulate the referer or user-agent headers of HTTP requests to the application, and the server-side code unsafely concatenates these values into SQL queries. Because the application relies heavily on GET requests for state-changing operations, exploitation vectors are numerous and impact is severe [2].

Impact

Successful exploitation enables the attacker to read, modify, or delete arbitrary data in the underlying database. Depending on the database configuration, this could lead to privilege escalation, disclosure of sensitive information (including user credentials), or complete compromise of the application. The vulnerability is rated HIGH severity with a CVSS v3 score of 8.8, reflecting the high impact on confidentiality, integrity, and availability, although it requires authenticated access [1].

Mitigation

The vulnerabilities have been addressed in GRR release 4.5.0, which is available from the vendor's GitHub repository. Users are strongly advised to upgrade to this patched version immediately. No workarounds are documented, but administrators can consider restricting access to the application to trusted networks and minimizing the number of authenticated users until the upgrade can be applied [2].