SYS::ONLINE
Wasteland.
Briefs1238
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-8297 2026-07-17

CVE-2026-8297: Critical SQL Injection in GisLab Laboratory Management System

"A critical, unauthenticated SQL injection flaw (CVSS 9.8) in the GisLab Laboratory Management System allows remote attackers to inject SQL commands with no privileges or user interaction."

A critical, unauthenticated SQL injection flaw (CVSS 9.8) in the GisLab Laboratory Management System allows remote attackers to inject SQL commands with no privileges or user interaction.

What Is It

CVE-2026-8297 is an SQL injection vulnerability (CWE-89) caused by improper neutralization of special elements used in an SQL command. It affects the GisLab Laboratory Management System, developed by Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. The flaw is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N).

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), with high impact to confidentiality, integrity, and availability. Because it is remotely reachable and requires no authentication, an attacker can potentially read, alter, or destroy database contents. CISA's SSVC assessment rates the technical impact as "total" and marks the flaw as "automatable: yes," indicating it can be reliably exploited at scale. SSVC records exploitation status as "none" at this time, and no CISA KEV entry was supplied to confirm active exploitation in the wild.

What's Vulnerable

The affected product is the GisLab Laboratory Management System, versions from 1.4.03 through 08072026. Versions outside that range are listed as unaffected. No specific CPE identifiers were provided in the source data.

Patch Status

The NVD record lists a vulnerability status of "Deferred." The supplied source material does not include a specific fixed version, patch, or explicit required-action statement. The only referenced advisory is the Turkish national cyber security authority (USOM/siberguvenlik.gov.tr) bulletin; organizations running affected GisLab versions should consult that advisory for remediation guidance and monitor for a vendor fix.

Sources