HIGH✓ PATCH🇬🇧 English

CVE-2026-23780

CVSS 8.8v3.1pub. 2026-04-10upd. 2026-04-27

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Bmc Control M\/managed File Transfer

    APP
    Bmc
    9.0.20 – 9.0.22
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCESQLi
CWE
Referencje

Powiązane podatności

CVE-2026-23781CRITICAL9.8PL ✓ten sam produkt

BMC Control-M/MFT — zakodowane na stałe dane logowania w kodzie (hardcoded credentials)

CVE-2026-23782HIGH7.5ten sam produkt

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthen...

CVE-2025-55113CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta

CVE-2025-55109CRITICAL9.5PL ✓ten sam vendor

BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore

CVE-2025-55115CRITICAL9.3PL ✓ten sam vendor

Path traversal w BMC Control-M/Agent prowadzący do privilege escalation

CVE-2026-23780 — HIGH 8.8 | CVEbaza.pl