CVE-2026-2247

Name of the Vulnerable Software and Affected Versions Clicldeu SaaS (affected versions not specified)

Description A SQL injection flaw exists in Clicldeu SaaS, specifically during report generation. A remotely authenticated attacker can execute a malicious payload within the URL generated after downloading a student’s report card in the ‘Day-to-day’ section of the mobile application. The session token in the generated PDF URL does not expire, remaining valid for days, and allows for the injection of unusual characters after the id alu parameter. This enables both boolean-based blind and time-based blind SQL injection attacks, potentially allowing an attacker to access confidential information within the database.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.