Nefteprodukttekhnika Llc · Buk Ts-G Gas Station Automation System · CVE-2026-3843
**Name of the Vulnerable Software and Affected Versions**
Nefteprodukttekhnika BUK TS-G Gas Station Automation System version 2.9.1
**Description**
The system contains a SQL Injection issue in the system configuration module. An attacker can send crafted HTTP POST requests to the `/php/request.php` endpoint via the `sql` parameter in application/x-www-form-urlencoded data (e.g., `action=do&sql=<query here>&reload driver=0`) to execute arbitrary SQL commands and potentially achieve remote code execution.
**Recommendations**
Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/php/request.php` endpoint.