CVE-2026-3023

High

Published: 16 March 2026

Published

16 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3023 is a high-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Wakyma Wakyma. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user inputs to the 'print-tags' endpoint to neutralize special elements and prevent NoSQL injection commands.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely identification, reporting, and correction of the specific NoSQLi flaw in the Wakyma web application.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls monitors and blocks altered POST requests containing NoSQL injection payloads to the affected endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

NoSQL injection in public-facing web app endpoint directly matches exploitation of public-facing applications (T1190) via crafted POST requests over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them…

to list both pets and owner names.

Deeper analysisAI

CVE-2026-3023 is a non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. Published on 2026-03-16T14:19:45.663, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The vulnerability can be exploited over the network by an authenticated user with low privileges through alteration of a POST request to the affected endpoint, enabling injection of NoSQL commands. Successful exploitation allows the attacker to list both pets and owner names, with the high CVSS impacts indicating potential for significant confidentiality, integrity, and availability compromise.

Mitigation details are available in the INCIBE-CERT advisory on multiple vulnerabilities in the Wakyma web application, accessible at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web.