{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-46636", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:48:09.655Z", "dateReserved": "2024-09-11T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T20:49:43.103Z"}, "descriptions": [{"lang": "en", "value": "NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/"}, {"url": "https://bugcrowd.com/Xnu11"}, {"url": "https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:46:58.756225Z", "id": "CVE-2024-46636", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:48:09.655Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-46636", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:48:09.655Z", "dateReserved": "2024-09-11T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T20:49:43.103Z"}, "descriptions": [{"lang": "en", "value": "NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/"}, {"url": "https://bugcrowd.com/Xnu11"}, {"url": "https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-46636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:46:58.756225Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:44:25.819Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter"}], "id": "CVE-2024-46636", "lastModified": "2026-04-27T21:16:21.320", "metrics": {}, "published": "2026-04-27T21:16:21.320", "references": [{"source": "cve@mitre.org", "url": "https://bugcrowd.com/Xnu11"}, {"source": "cve@mitre.org", "url": "https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS"}, {"source": "cve@mitre.org", "url": "https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "8.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "modaps", "vendor": "nasa"}], "analysis": {"en": {"generated_at": "2026-04-28T13:18:42.396701+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or newer version of MODAPS that addresses the SQL injection flaw.", "Implement proper input validation and use parameterized queries for the category parameter to eliminate direct SQL execution.", "Deploy a web\u2011application firewall (WAF) or intrusion detection system to detect and block SQL injection attempts."], "summary": {"action": "Apply Fix", "impact": "SQL Injection that can compromise the database"}, "threat_synthesis": {"affected_systems": "The affected product is NASA Earth Observing System Data and Information System (EOSDIS) MODAPS, version 8.1. No other vendors or versions are identified.", "description_and_impact": "NASA\u2019s Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 contains a flaw that allows an attacker to inject arbitrary SQL code through the category parameter. This weakness permits unauthorized manipulation or extraction of data stored in the database, potentially revealing sensitive information or allowing tampering with records.", "risk_and_exploitability": "Because no CVSS or EPSS score is published and the vulnerability is listed as not in the CISA KEV catalog, the exact exploitation likelihood is not quantified. However, the presence of a direct SQL injection path through a user\u2011controllable parameter suggests that an attacker who can send crafted requests to the application could trigger the flaw. Successful exploitation would expose or alter data within the MODAPS database, and if the database contains privileged information, the impact could be significant. The attack vector is inferred to be external, via HTTP requests to the web interface that processes the category parameter."}}}}, "created": "2026-04-28T09:17:42.723315+00:00", "title": "SQL Injection in MODAPS Category Parameter", "updated": "2026-04-28T13:30:32.084921+00:00", "vendors": ["nasa", "nasa$PRODUCT$modaps"], "weaknesses": ["CWE-89"]}