VDB
CVE-2026-4324
CVE-2026-4324
PUBLISHED
CVSS 5.400000095367432 MEDIUM
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.
EPSS 0.12% · 29.8th percentile
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score
0.12%
29.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:1.2.0-0.1.el9pc, 0:1.2.0-0.1.el9pc, 0:1.2.0-0.1.el9pc |
| RubyGems | katello | 0, 0, 0 |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:4.16.0.14-1.el9sat, 0:4.16.0.14-1.el9sat, 0:4.16.0.14-1.el9sat |
| Red Hat | Red Hat Satellite 6.18 for RHEL 9 | 0:4.18.0.9-1.el9sat, 0:4.18.0.9-1.el9sat, * |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:6.17.7-1.el9sat, 0:6.17.7-1.el9sat, 0:6.17.7-1.el9sat |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:3.27.10-2.el9pc, 0:3.27.10-2.el9pc, 0:3.27.10-2.el9pc |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:4.2.28-0.1.el9pc, 0:4.2.28-0.1.el9pc, 0:4.2.28-0.1.el9pc |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:0.0.3-4.el9sat, 0:0.0.3-4.el9sat, 0:0.0.3-4.el9sat |
| Red Hat | Red Hat Satellite 6.19 for RHEL 9 | 0:4.20.0.4-1.el9sat |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:0.4.3-1.el9sat, 0:0.4.3-1.el9sat, 0:0.4.3-1.el9sat |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:0.1.23-0.3.el9pc, 0:0.1.23-0.3.el9pc, 0:0.1.23-0.3.el9pc |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:0.13.0-1.el9sat, 0:0.13.0-1.el9sat, 0:0.13.0-1.el9sat |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:2.22.3-1.el9pc, 0:2.22.3-1.el9pc, 0:2.22.3-1.el9pc |
| Red Hat | Red Hat Satellite 6 | |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:1.5.1-1.el9sat, 0:1.5.1-1.el9sat, 0:1.5.1-1.el9sat |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:3.14.0.14-1.el9sat, *, 0:3.14.0.14-1.el9sat |
Timeline
- Mar 17, 2026 CVE Published
- Mar 18, 2026 EPSS Score
- Mar 19, 2026 EPSS Score
- Mar 19, 2026 Security Advisory
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 Coalition ESS Score
- Mar 21, 2026 EPSS Score
- Mar 21, 2026 Coalition ESS Score
- Mar 22, 2026 EPSS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 EPSS Score
References
- RHSA-2026:5968 vendor-advisory
- RHSA-2026:5970 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-4324 vdb
- RHBZ#2448349 issue
- https://nvd.nist.gov/vuln/detail/CVE-2026-4324 advisory
- https://github.com/Katello/katello/commit/a0a793b08d4f0a897ee985d79a687ad043f99e57 url
- https://github.com/Katello/katello package
- RHSA-2026:22326 vendor-advisory