{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2409", "assignerOrgId": "1443cd92-d354-46d2-9290-d812316ca43a", "state": "PUBLISHED", "assignerShortName": "Delinea", "dateReserved": "2026-02-12T14:56:45.684Z", "datePublished": "2026-02-19T17:55:00.988Z", "dateUpdated": "2026-02-20T20:26:09.822Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cloud Suite", "vendor": "Delinea", "versions": [{"lessThan": "25.2 HF1", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "25.2 HF1 or later"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jess Parker (jparker@calottery.com)"}, {"lang": "en", "type": "finder", "value": "Radu Enachi (renachi@calottery.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.<p>This issue affects Cloud Suite: before 25.2 HF1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1."}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1443cd92-d354-46d2-9290-d812316ca43a", "shortName": "Delinea", "dateUpdated": "2026-02-19T17:55:00.988Z"}, "references": [{"url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.2.htm#Resolved"}, {"url": "https://delinea.com/security-advisories"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:25:55.683217Z", "id": "CVE-2026-2409", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:26:09.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T20:25:55.683217Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:26:04.954Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jess Parker (jparker@calottery.com)"}, {"lang": "en", "type": "finder", "value": "Radu Enachi (renachi@calottery.com)"}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Delinea", "product": "Cloud Suite", "versions": [{"status": "affected", "version": "0", "lessThan": "25.2 HF1", "versionType": "custom"}, {"status": "unaffected", "version": "25.2 HF1 or later"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.2.htm#Resolved"}, {"url": "https://delinea.com/security-advisories"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.<p>This issue affects Cloud Suite: before 25.2 HF1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "1443cd92-d354-46d2-9290-d812316ca43a", "shortName": "Delinea", "dateUpdated": "2026-02-19T17:55:00.988Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2409", "state": "PUBLISHED", "dateUpdated": "2026-02-20T20:26:09.822Z", "dateReserved": "2026-02-12T14:56:45.684Z", "assignerOrgId": "1443cd92-d354-46d2-9290-d812316ca43a", "datePublished": "2026-02-19T17:55:00.988Z", "assignerShortName": "Delinea"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1."}, {"lang": "es", "value": "La vulnerabilidad de Neutralizaci\u00f3n Inadecuada de Elementos Especiales utilizados en un Comando SQL ('inyecci\u00f3n SQL') en Delinea Cloud Suite permite la Inyecci\u00f3n de Argumentos. Este problema afecta a Cloud Suite: antes de 25.2 HF1."}], "id": "CVE-2026-2409", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "1443cd92-d354-46d2-9290-d812316ca43a", "type": "Secondary"}]}, "published": "2026-02-19T18:25:00.633", "references": [{"source": "1443cd92-d354-46d2-9290-d812316ca43a", "url": "https://delinea.com/security-advisories"}, {"source": "1443cd92-d354-46d2-9290-d812316ca43a", "url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.2.htm#Resolved"}], "sourceIdentifier": "1443cd92-d354-46d2-9290-d812316ca43a", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "1443cd92-d354-46d2-9290-d812316ca43a", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,25.2 HF1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[25.2 HF1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cloud Suite", "source": "cna", "vendor": "Delinea"}, "product": "cloud_suite", "vendor": "delinea"}], "analysis": {"en": {"generated_at": "2026-04-17T18:01:30.204631+00:00", "value": {"mitigation_remediation": ["Upgrade Delinea Cloud Suite to version 25.2 HF1 or later", "Restrict the application\u2019s database user to the minimum set of privileges necessary for normal operation", "Implement input validation or WAF rules that detect and block SQL injection patterns"], "summary": {"action": "Patch Immediately", "impact": "Potential Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected are all instances of Delinea Cloud Suite running versions prior to 25.2 HF1. This includes any deployment of the Cloud Suite that has not been upgraded to the 25.2 HF1 release or later. No other vendors or product lines are listed as impacted.", "description_and_impact": "This vulnerability arises from an improper neutralization of special elements used within SQL commands in Delinea Cloud Suite, allowing argument injection that can lead to unauthorized data access or modification. The weakness maps to CWE\u201189, a flaw in input validation that enables attackers to craft malicious SQL statements. Such an injection could expose sensitive information or corrupt stored data.", "risk_and_exploitability": "The CVSS score of 9.3 identifies the flaw as critical, and although the EPSS score is less than 1%, indicating low exploitation probability, the vulnerability remains a high\u2011risk target for attackers seeking data exposure. The likely attack vector is through web or API interfaces that accept unsanitized user input used in database queries. The absence from CISA\u2019s KEV catalog does not reduce the potential impact for exposed systems."}}}}, "created": "2026-02-20T10:06:12.998730+00:00", "title": "SQL Injection via Argument Injection in Delinea Cloud Suite up to 25.2", "updated": "2026-04-17T18:15:26.761697+00:00", "vendors": ["delinea", "delinea$PRODUCT$cloud_suite"]}