CVE-2026-0603

Name of the Vulnerable Software and Affected Versions Hibernate (affected versions not specified)

Description A flaw exists in Hibernate that allows a remote attacker with low privileges to exploit a second-order SQL injection. The issue occurs when specially crafted, unsanitized non-alphanumeric characters are provided in the ID column while using the InlineIdsOrClauseBuilder. Successful exploitation could lead to sensitive information disclosure, including the ability to read system files, and allow for data manipulation or deletion within the application's database, potentially resulting in an application-level denial of service. A second-order SQL injection occurs when an application receives data from a trusted source but does not properly sanitize it before using it in a database query. The InlineIdsOrClauseBuilder is a component used to construct SQL queries.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.