CVE-2025-26086 — HIGH (7.5)

Vulnerability Description

An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Rsiqueue	Management System	3.0

Related Weaknesses (CWE)

CWE-89

References

https://seclists.org/fulldisclosure/2025/May/21Mailing List
http://seclists.org/fulldisclosure/2025/May/21Mailing List

FAQ

What is CVE-2025-26086?

CVE-2025-26086 is a vulnerability with a CVSS score of 7.5 (HIGH). An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL p...

How severe is CVE-2025-26086?

CVE-2025-26086 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-26086?

Check the references section above for vendor advisories and patch information. Affected products include: Rsiqueue Management System.