CVE-2025-26852

CVE-2025-26852 is a SQL injection vulnerability (CWE-89) present in DESCOR INFOCAD versions 3.5.1 and earlier. The flaw allows attackers to inject malicious SQL code into backend queries. It was published on 2025-03-20 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low attack complexity, lack of privileges or user interaction needed, and high impacts across confidentiality, integrity, and availability with scope change.

Remote, unauthenticated attackers can exploit this vulnerability over the network without user interaction. By injecting crafted SQL payloads, they can execute arbitrary database commands, potentially leading to unauthorized data access, modification, deletion, or escalation to broader system compromise given the high impact ratings and scope change.

Mitigation is available in DESCOR INFOCAD v3.5.2.0, which addresses the SQL injection issue. Security practitioners should reference the product page at https://www.descor.com/prodotti/infocad and the changelog at https://www.infocadfm.com/changelog/sql-injection/ for patch details and upgrade instructions.