CVE-2026-4317

Name of the Vulnerable Software and Affected Versions Umami Software (affected versions not specified)

Description An issue exists in Umami Software that allows an authenticated attacker to execute arbitrary SQL commands in the database. This is due to an improperly sanitized parameter, specifically the 'timezone' request parameter, which can be manipulated with malicious characters and SQL payloads. The application uses functions like prisma.rawQuery and prisma.$queryRawUnsafe or raw queries with ClickHouse, interpolating values directly into SQL queries without proper filtering or sanitization. Successful exploitation could compromise database data and allow execution of dangerous functions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.