CVE-2026-3843
Published: 10 March 2026
Summary
CVE-2026-3843 is a critical-severity SQL Injection (CWE-89) vulnerability in Bukts Buk Ts-G Gas Station Automation System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the SQL injection flaw in the /php/request.php endpoint of the BUK TS-G system.
Directly prevents SQL injection by validating and sanitizing the unsanitized 'sql' parameter in HTTP POST requests to the vulnerable endpoint.
Boundary protection mechanisms like web application firewalls can block or detect specially crafted POST requests containing SQL injection payloads targeting the system configuration module.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web endpoint (T1190) enables arbitrary SQL execution for database data extraction (T1213.006).
NVD Description
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in…
more
application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
Deeper analysisAI
CVE-2026-3843 is a SQL injection vulnerability (CWE-89) in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 running on Linux. The issue affects the system configuration module, where the /php/request.php endpoint processes unsanitized input via the sql parameter in application/x-www-form-urlencoded data from HTTP POST requests. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted POST requests, such as those formatted with action=do&sql=<query_here>&reload_driver=0. Successful exploitation enables arbitrary SQL command execution, which could allow data extraction, modification, or deletion, and potentially escalate to remote code execution on the affected system.
Mitigation details are outlined in advisories available at https://bdu.fstec.ru/vul/2025-13914 and https://bukts.ru/repo-bukts-current. Security practitioners should consult these resources for patching instructions, version updates, or configuration workarounds specific to the BUK TS-G system.
Details
- CWE(s)