CVE-2026-0603
HIGHHibernate - SQL Injection
Title source: llmDescription
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
Exploits (1)
References (8)
Scores
CVSS v3
8.3
EPSS
0.0006
EPSS Percentile
18.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Details
CWE
CWE-89
Status
published
Products (24)
org.hibernate/hibernate-core
5.2.8Maven
Red Hat/Red Hat AMQ Broker 7
Red Hat/Red Hat build of OptaPlanner 8
Red Hat/Red Hat Data Grid 8
Red Hat/Red Hat Fuse 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:5.1.17-4.Final_redhat_00005.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
0:7.1.14-4.GA_redhat_00003.1.ep7.el7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
0:5.3.38-1.Final_redhat_00001.1.el7eap
Red Hat/Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
0:7.3.17-5.GA_redhat_00006.1.el7eap
... and 14 more
Published
Jan 23, 2026
Tracked Since
Feb 18, 2026