CVE-2025-46546

Name of the Vulnerable Software and Affected Versions Sherpa Orchestrator version 141851

Description The issue allows an authenticated user to perform multiple time-based blind SQL injections. This affects several API endpoints, including "api/gui/asset/list", "api/gui/files/export/csv/", "api/gui/files/list", "api/gui/process/export/csv", "api/gui/process/export/xlsx", "api/gui/process/listAll", "api/gui/processVersion/export/csv/", "api/gui/processVersion/export/xlsx/", "api/gui/processVersion/list/", "api/gui/robot/list/", "api/gui/task/export/csv/", "api/gui/task/export/xlsx/", and "api/gui/task/list/".

Recommendations As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Avoid using sensitive data in the affected endpoints to minimize the risk of exploitation. Update to a version that includes a fix for this issue when available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.