Critical severity9.8NVD Advisory· Published Mar 10, 2026· Updated May 7, 2026

CVE-2026-3843

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

Affected products

Bukts/Buk Ts G Gas Station Automation System
cpe:2.3:a:bukts:buk_ts-g_gas_station_automation_system:*:*:*:*:*:*:*:*
Range: >=2.9.1,<2.10.2
Nefteprodukttekhnika Llc/Buk Ts G Gas Station Automation Systemv5
Range: 2.9.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bdu.fstec.ru/vul/2025-13914nvdBroken Link
bukts.ru/repo-bukts-currentnvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000