CVE-2026-3843
CriticalSummary
The Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 on Linux contains a SQL Injection vulnerability in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint to execute arbitrary SQL commands.
Risk Assessment
This vulnerability may lead to remote code execution, posing a serious threat to the security of the system and the organization's data.
Recommendation
It is recommended to update the system to the latest version that addresses this vulnerability and to implement appropriate security measures to restrict unauthorized request submissions.
Original NVD description (English source)
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

