Commvault CommServe Web Server Unauthenticated SQL Injection

July 25, 2025 invoker category_cve

CVE Details

Basic Information

Title Commvault CommServe Web Server Unauthenticated SQL Injection
Type cve
Published 2025-07-25T15:49:23.837Z
Modified 2025-07-25T15:49:23.837Z

Product Information

Vendor Commvault
Product Commvault
Version 11.32.0

CVSS Information

Base Score 6.9 (MEDIUM)
Attack Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products

  • Commvault Commvault 11.32.0
  • Commvault Commvault 11.36.0
  • Commvault Commvault 11.38.0

Additional Information

CWE List CWE-89
Source VulnCheck

Description

An SQL injection vulnerability exists in Commvault 11.32.0 – 11.32.93, 11.36.0 – 11.36.51, and 11.38.0 – 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.