Cyber Resilience

CVE-2026-3023

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3023 is a medium-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Wakyma Wakyma. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3023 is a non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. Published on 2026-03-16T14:19:45.663, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The vulnerability can be exploited over the network by an authenticated user with low privileges through alteration of a POST request to the affected endpoint, enabling injection of NoSQL commands. Successful exploitation allows the attacker to list both pets and owner names, with the high CVSS impacts indicating potential for significant confidentiality, integrity, and availability compromise.

Mitigation details are available in the INCIBE-CERT advisory on multiple vulnerabilities in the Wakyma web application, accessible at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them…

more

to list both pets and owner names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

NoSQL injection in public-facing web app endpoint directly matches exploitation of public-facing applications (T1190) via crafted POST requests over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

wakyma
wakyma
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user inputs to the 'print-tags' endpoint to neutralize special elements and prevent NoSQL injection commands.

preventrecover

Ensures timely identification, reporting, and correction of the specific NoSQLi flaw in the Wakyma web application.

preventdetect

Boundary protection with web application firewalls monitors and blocks altered POST requests containing NoSQL injection payloads to the affected endpoint.

References