Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection. Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
References (2)
Core 2
Core References
Various Sources
https://docs.opennms.com/meridian/2024/releasenotes/changelog.html#releasenotes-changelog-Meridian-2024.2.6
Issue Tracking
https://github.com/OpenNMS/opennms/pull/7709
Scores
CVSS v4
6.9
EPSS
0.0021
EPSS Percentile
10.9%
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (4)
The OpenNMS Group/Horizon
25.2.1 - 33.0.8
The OpenNMS Group/Horizon
25.2.1 - 33.1.6, 33.1.7
The OpenNMS Group/Horizon
33.0.8 - 33.1.6, 33.1.7
The OpenNMS Group/Meridian
2024.1.0 - 2024.2.6, 2024.2.7
Published
Jun 26, 2025
Tracked Since
Feb 18, 2026