CVE-2026-35152

Source
https://cve.org/CVERecord?id=CVE-2026-35152
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35152.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35152
Published
2026-07-15T09:19:54.983Z
Modified
2026-07-17T03:46:19.396451771Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Fineract: SQL injection in runreports endpoint
Details

A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.

Database specific
{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35152.json",
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/fineract

Affected ranges

Type
GIT
Repo
https://github.com/apache/fineract
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.14.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.0.0
1.1.0
1.10.0
1.11.0
1.12.0
1.12.1
1.14.0
1.2.0
1.3.0
1.5.0
1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35152.json"