CVE-2026-2247

SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application. In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database.

CVSS

No CVSS.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-clickedus-saas-platform

Configurations

No configuration.

History

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de inyección SQL (SQLi) en Clicldeu SaaS, específicamente en la generación de informes, que ocurre cuando un atacante remoto previamente autenticado ejecuta una carga útil maliciosa en la URL generada después de descargar el boletín de calificaciones del estudiante en la sección 'Day-to-day' desde la aplicación móvil. En la URL del PDF generado, el token de sesión utilizado no caduca, por lo que permanece válido durante días después de su generación, y se pueden introducir caracteres inusuales después del parámetro 'id_alu', lo que resulta en dos tipos de SQLi: ciego basado en booleanos y ciego basado en tiempo. Explotar esta vulnerabilidad podría permitir a un atacante acceder a información confidencial en la base de datos.

17 Feb 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-17 12:16

Updated : 2026-02-18 17:52

NVD link : CVE-2026-2247

Mitre link : CVE-2026-2247

CVE.ORG link : CVE-2026-2247

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-2247", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-17T12:16:15.443", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-clickedus-saas-platform", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the \u2018Day-to-day\u2019 section from the mobile application.\n\nIn the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the \u2018id_alu\u2019 parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL (SQLi) en Clicldeu SaaS, espec\u00edficamente en la generaci\u00f3n de informes, que ocurre cuando un atacante remoto previamente autenticado ejecuta una carga \u00fatil maliciosa en la URL generada despu\u00e9s de descargar el bolet\u00edn de calificaciones del estudiante en la secci\u00f3n 'Day-to-day' desde la aplicaci\u00f3n m\u00f3vil.\n\nEn la URL del PDF generado, el token de sesi\u00f3n utilizado no caduca, por lo que permanece v\u00e1lido durante d\u00edas despu\u00e9s de su generaci\u00f3n, y se pueden introducir caracteres inusuales despu\u00e9s del par\u00e1metro 'id_alu', lo que resulta en dos tipos de SQLi: ciego basado en booleanos y ciego basado en tiempo. Explotar esta vulnerabilidad podr\u00eda permitir a un atacante acceder a informaci\u00f3n confidencial en la base de datos."}], "lastModified": "2026-02-18T17:52:22.253", "sourceIdentifier": "cve-coordination@incibe.es"}