A critical, unauthenticated SQL injection flaw (CVSS 9.8) affects all versions of Inrove's BiEticaret e-commerce software prior to v3.3.57, enabling remote attackers to compromise the confidentiality, integrity, and availability of affected systems.
What Is It
CVE-2026-5955 is an improper neutralization of special elements used in an SQL command, a classic SQL injection vulnerability (CWE-89), in BiEticaret, developed by Inrove Software and Internet Services. The flaw allows an attacker to inject arbitrary SQL commands into the application. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning it is exploitable over the network, requires low attack complexity, needs no privileges, and requires no user interaction.
Why It Matters
Because exploitation requires no authentication and no user interaction, an attacker can target vulnerable BiEticaret instances remotely with minimal effort. The vulnerability rates HIGH impact across all three security pillars: confidentiality, integrity, and availability. For an e-commerce platform, successful SQL injection can expose customer records, order data, and credentials, and permit unauthorized modification of application data.
What's Vulnerable
- Vendor: Inrove Software and Internet Services
- Product: BiEticaret
- Affected versions: All versions before v3.3.57
No specific affected CPEs were listed in the supplied NVD record.
Patch Status
The issue is resolved in BiEticaret v3.3.57. The NVD record lists versions at or above v3.3.57 as unaffected, so upgrading to v3.3.57 or later remediates the vulnerability. The CVE was published on 2026-07-09 with a status of "Received." No CISA KEV entry was supplied, so there is no confirmation of active exploitation in the source material.