Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. | |
| Title | OpenRemote < 1.26.0 SQL Injection via Crosstab Export | |
| First Time appeared |
Openremote
Openremote openremote |
|
| Weaknesses | CWE-89 | |
| CPEs | cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openremote
Openremote openremote |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T10:28:10.902Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62238
Updated: 2026-07-17T10:27:49.099Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T03:15:05Z