CVE Catalog

CVE-2026-3843

Critical
Published: Translated: NVD NIST

Summary

The Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 on Linux contains a SQL Injection vulnerability in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint to execute arbitrary SQL commands.

Risk Assessment

This vulnerability may lead to remote code execution, posing a serious threat to the security of the system and the organization's data.

Recommendation

It is recommended to update the system to the latest version that addresses this vulnerability and to implement appropriate security measures to restrict unauthorized request submissions.

Original NVD description (English source)

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS