CVE-2026-6888

HIGH

Advantech SaaS Composer < 3.4.17 - Authenticated SQL Injection via Specific Interface

Title source: llm

Description

Successful exploitation of the SQL injection vulnerability could allow a remote authenticated attacker to execute arbitrary commands via a specific interface, potentially enabling the attacker to access, modify, or delete sensitive information within the database.

References (1)

Core 1

Core References

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-050/

Scores

CVSS v3 7.2

EPSS 0.0010

EPSS Percentile 27.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (8)

Advantech/ECOWatch SaaS-Composer prior to version 3.4.17

Advantech/IoT Edge Linux docker prior to version 2.2.0

Advantech/IoT Edge Windows prior to version 2.2.0

Advantech/IoTSuite Growth Linux docker prior to version 2.2.0

Advantech/IoTSuite Starter Linux docker prior to version 2.2.0

Advantech/SaaS Composer prior to version 3.4.17

Advantech/WebAccess SaaS-Composer prior to version 3.4.17.1

Advantech/WebAccess/SCADA prior to version 9.2.3

Published May 13, 2026

Tracked Since May 13, 2026