CVE-2026-10880

Name of the Vulnerable Software and Affected Versions OSNexus QuantaStor versions prior to 6.6.2

Description An unauthenticated remote attacker can perform a blind SQL injection via the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, which allows the attacker to bypass authentication and log in as an administrator without a valid password. Additionally, attackers can recover stored password hashes one character at a time by analyzing differing login error responses.

Recommendations Update to version 6.6.2 or later. As a temporary workaround, restrict access to the login endpoint to trusted IP addresses to minimize the risk of exploitation.