CVE-2026-2247

CVSS v4.0

8.3

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Clicldeu SaaS (affected versions not specified)

Description A SQL injection flaw exists in Clicldeu SaaS, specifically during report generation. A remotely authenticated attacker can execute a malicious payload within the URL generated after downloading a student’s report card in the ‘Day-to-day’ section of the mobile application. The session token in the generated PDF URL does not expire, remaining valid for days, and allows for the injection of unusual characters after the

id alu

parameter. This enables both boolean-based blind and time-based blind SQL injection attacks, potentially allowing an attacker to access confidential information within the database.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-2247

Affected Products

Clicldeu Saas

CVE-2026-2247

Weakness Enumeration

Related Identifiers

Affected Products

References · 4