Description
An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.
References (2)
Core 2
Core References
Various Sources vendor-advisory
patch
https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/commvault-commserve-web-server-unauth-sqli
Scores
CVSS v4
6.9
EPSS
0.0046
EPSS Percentile
36.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (3)
Commvault/Commvault
11.32.0 - 11.32.93
Commvault/Commvault
11.36.0 - 11.36.51
Commvault/Commvault
11.38.0 - 11.38.19
Published
Jul 25, 2025
Tracked Since
Feb 18, 2026