CVEFinder.io

CVE-2026-31069

⚠️ high
🔍 Scan for this CVE
Summary

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.

CVSS Score
8.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 81.1% of all 327,306 vulnerabilities in our database.

#61,876
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-89

📦 Affected Products 0

No affected products information available

🔗 References 3

https://gist.github.com/nedlir/2377ba6e7fa2ad957210b...
https://gist.github.com/nedlir/a50725b94650467f0593b...
https://github.com/BillaBear/billabear