Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk.
The vulnerability results from insufficient validation of user-supplied input data in one of the web application endpoints. An attacker can provide crafted input data which is then included in SQL queries executed on the backend database server. Since the exploit does not require authentication, any remote attacker with access to the application can directly interact with the database. The maximum CVSS score of 10.0 reflects the absence of any technical barriers preventing the attack.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and depending on the environment configuration — potentially take control of the database server or escalate privileges in the system.
Explorance Blue should be updated to version 8.14.9 or later as soon as possible. Detailed information is available in the vendor's security notices published on online-help.explorance.com (Security Advisories — January 2026). Until the patch is deployed, it is recommended to restrict application access only to trusted networks and apply WAF rules blocking typical SQL injection payloads.
Explorance Blue in all versions earlier than 8.14.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExplorance Blue
APPExplorance< 8.14.9
Related vulnerabilities
RCE przez unrestricted file upload w Explorance Blue (panel admina)
RCE przez podatny upload plików w Explorance Blue (CVE-2025-57795)
Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validati...
Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to p...
Multiple Cross Site Scripting (XSS) vulnerabilities in input fields in Explorance Blue 8.1.2 allows attackers ...