CVE-2026-44860

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:arubanetworks:sd-wan::::::::
	cpe:2.3:a:arubanetworks:sd-wan::::::::

History

14 May 2026, 18:41

Type	Values Removed	Values Added
First Time		Arubanetworks arubaos Arubanetworks Arubanetworks sd-wan
References	~~() https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US -~~	() https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US - Vendor Advisory
CPE		cpe:2.3:a:arubanetworks:sd-wan:::::::: cpe:2.3:o:arubanetworks:arubaos::::::::

13 May 2026, 19:17

Type	Values Removed	Values Added
CWE		CWE-89

12 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 20:16

Updated : 2026-05-14 18:41

NVD link : CVE-2026-44860

Mitre link : CVE-2026-44860

CVE.ORG link : CVE-2026-44860

JSON object : View

Products Affected

arubanetworks

sd-wan
arubaos

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-44860", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-05-12T20:16:44.620", "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system."}], "lastModified": "2026-05-14T18:41:29.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3310CEA-A66E-4374-91DE-5B9ACC49005E", "versionEndExcluding": "8.10.0.22", "versionStartIncluding": "6.5.4.0"}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B106E8F-BD70-4427-8B0B-BE6A060DA43A", "versionEndExcluding": "8.12.0.7", "versionStartIncluding": "8.11.0.0"}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CA7BD88-F241-4D60-9BA7-7409A1E435CC", "versionEndExcluding": "8.13.1.2", "versionStartIncluding": "8.13.0.0"}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E47CF22-3260-4755-A11E-B16AEAE0743C", "versionEndExcluding": "10.4.1.11", "versionStartIncluding": "10.4.0.0"}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60034F6F-DB9F-40E1-9719-96EB3837A546", "versionEndExcluding": "10.7.2.3", "versionStartIncluding": "10.5.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4311C56C-9E48-4695-A24C-C93FEFB6F354", "versionEndIncluding": "8.6.0.4-2.2.0.7", "versionStartIncluding": "8.6.0.4-2.2.0.0"}, {"criteria": "cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7825F9F-FC5F-4C61-A67B-5034E943F8C3", "versionEndIncluding": "8.7.0.0-2.3.0.9", "versionStartIncluding": "8.7.0.0-2.3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}