CVE-2025-46546

LOW

Sherpa Orchestrator 141851 - SQL Injection

Title source: llm
STIX 2.1

Description

In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.

References (4)

Core 4

Scores

CVSS v3 3.5
EPSS 0.0035
EPSS Percentile 26.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
sherparpa/sherpa_orchestrator 141851
Published Apr 25, 2025
Tracked Since Feb 18, 2026