CVE-2026-3843

Critical

Published: 10 March 2026

Published

10 March 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in…

application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of the SQL injection flaw in the /php/request.php endpoint of the BUK TS-G system.

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating and sanitizing the unsanitized 'sql' parameter in HTTP POST requests to the vulnerable endpoint.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection mechanisms like web application firewalls can block or detect specially crafted POST requests containing SQL injection payloads targeting the system configuration module.

Security SummaryAI

CVE-2026-3843 is a SQL injection vulnerability (CWE-89) in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1 running on Linux. The issue affects the system configuration module, where the /php/request.php endpoint processes unsanitized input via the sql parameter in application/x-www-form-urlencoded data from HTTP POST requests. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted POST requests, such as those formatted with action=do&sql=<query_here>&reload_driver=0. Successful exploitation enables arbitrary SQL command execution, which could allow data extraction, modification, or deletion, and potentially escalate to remote code execution on the affected system.

Mitigation details are outlined in advisories available at https://bdu.fstec.ru/vul/2025-13914 and https://bukts.ru/repo-bukts-current. Security practitioners should consult these resources for patching instructions, version updates, or configuration workarounds specific to the BUK TS-G system.

Details

CWE(s): CWE-89

Affected Products

bukts

buk ts-g gas station automation system

2.9.1 — 2.10.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web endpoint (T1190) enables arbitrary SQL execution for database data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://bdu.fstec.ru/vul/2025-13914
Broken Link · 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://bukts.ru/repo-bukts-current
Broken Link · 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c