Vulnerability Description
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bukts | Buk Ts-G Gas Station Automation System | >= 2.9.1, < 2.10.2 |
| Linux | Linux Kernel | - |
Related Weaknesses (CWE)
References
- https://bdu.fstec.ru/vul/2025-13914Broken Link
- https://bukts.ru/repo-bukts-currentBroken Link
FAQ
What is CVE-2026-3843?
CVE-2026-3843 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially craf...
How severe is CVE-2026-3843?
CVE-2026-3843 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-3843?
Check the references section above for vendor advisories and patch information. Affected products include: Bukts Buk Ts-G Gas Station Automation System, Linux Linux Kernel.