Cyber Resilience

CVE-2026-21856

HighPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21856 is a high-severity SQL Injection (CWE-89) vulnerability in Tarkov Tarkov Data Manager. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21856 is a time-based blind SQL injection vulnerability (CWE-89) in the Tarkov Data Manager, an open-source tool for managing item data related to the game Tarkov. The issue affects the webhook edit and scanner API endpoints in versions prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, enabling arbitrary SQL query execution against the backend MySQL database.

An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U), as reflected in the CVSS v3.1 base score of 7.2.

Mitigation is provided by upgrading to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 or later, which patches the vulnerable endpoints. Further details on the vulnerability and fix are documented in the GitHub commit at https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8 and the security advisory at https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary…

more

SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct mapping to exploitation of a vulnerable web/API application (SQL injection in webhook and scanner endpoints) allowing remote arbitrary query execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21854Same product: Tarkov Tarkov Data Manager
CVE-2026-21855Same product: Tarkov Tarkov Data Manager
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89

Affected Assets

tarkov
tarkov data manager
≤ 2026-01-02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the webhook edit and scanner API endpoints, blocking the unsanitized SQL strings that enable the time-based blind injection.

prevent

Mandates prompt application of the patch in commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 that eliminates the vulnerable code paths in the affected endpoints.

prevent

Limits the database privileges granted to the application service account so that even a successful SQL injection yields reduced confidentiality, integrity, and availability impact on the MySQL instance.

References