CVE-2026-34185

HIGH

SQL Injection in Hydrosystem Control System

Title source: cna

Description

Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5

References (2)

[Third Party Advisory] https://cert.pl/posts/2026/04/CVE-2026-4901/

[Product] https://www.hydrosystem.poznan.pl/

Scores

CVSS v3 8.8

EPSS 0.0003

EPSS Percentile 9.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

Hydrosystem/Control System < 9.8.5

hydrosystem.poznan/control_system < 9.8.5

Published Apr 09, 2026

Tracked Since Apr 09, 2026