SYS::ONLINE
Wasteland.
Briefs1132
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-8307 2026-07-08

CVE-2026-8307: Critical SQL Injection in Webbeyaz Mediküm Web

"A critical, unauthenticated SQL injection flaw affects all versions of Webbeyaz Web Design's Mediküm Web, a product the vendor has confirmed is no longer supported."

A critical, unauthenticated SQL injection flaw affects all versions of Webbeyaz Web Design's Mediküm Web, a product the vendor has confirmed is no longer supported.

What Is It

CVE-2026-8307 is an improper neutralization of special elements used in an SQL command, a classic SQL injection vulnerability (CWE-89), in Webbeyaz Web Design's Mediküm Web product. Because untrusted input is passed into SQL queries without proper sanitization, an attacker can inject arbitrary SQL, potentially reading, altering, or destroying database contents. The issue was reported by Turkey's national CSIRT, USOM.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL). The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) shows it is exploitable over the network, at low attack complexity, with no privileges and no user interaction required, and it fully compromises confidentiality, integrity, and availability. That combination makes it trivially exploitable and high-impact. No entry in the CISA KEV catalog was supplied, so active exploitation is not confirmed at this time.

What's Vulnerable

No specific affected CPEs were listed in the NVD record.

Patch Status

There is no fix. Per the NVD record, the vendor was contacted and it was learned that the product is not supported. With no supported version and no vendor patch available, organizations still running Mediküm Web should treat it as permanently vulnerable; the practical remediation is to restrict or retire the exposed application (e.g., isolate it from untrusted networks or migrate off the product) rather than wait for a patch. The CVE was published on 2026-07-08 and, at the time of this record, holds a vulnerability status of "Received."

Sources