Vulnerability Description
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2026:4915
- https://access.redhat.com/errata/RHSA-2026:4916
- https://access.redhat.com/errata/RHSA-2026:4917
- https://access.redhat.com/errata/RHSA-2026:4924
- https://access.redhat.com/errata/RHSA-2026:6011
- https://access.redhat.com/errata/RHSA-2026:6012
- https://access.redhat.com/security/cve/CVE-2026-0603
- https://bugzilla.redhat.com/show_bug.cgi?id=2427147
FAQ
What is CVE-2026-0603?
CVE-2026-0603 is a vulnerability with a CVSS score of 8.3 (HIGH). A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in...
How severe is CVE-2026-0603?
CVE-2026-0603 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0603?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.