A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRocket.chat
APPRocket.Chat< 3.11.43.12.0 – 3.12.4 (bez)3.13.0 – 3.13.2 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
SQLi
Powiązane podatności
CVE-2026-48616CRITICAL9.3ten sam produkt
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerab...
CVE-2026-29198CRITICAL9.8PL ✓ten sam produkt
Rocket.Chat — NoSQL injection umożliwiający przejęcie konta (SQLi)
CVE-2026-28514CRITICAL9.3PL ✓ten sam produkt
Rocket.Chat — pominięcie await powoduje auth bypass w ddp-streamer
CVE-2023-28316CRITICAL9.8ten sam produkt
A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where o...
CVE-2022-44567CRITICAL9.8ten sam produkt
A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a...