CVE-2026-15804

MetaGuru · HCM

MetaGuru HCM is susceptible to SQL injection, which could allow an authenticated attacker to manipulate database queries and potentially access or modify sensitive data.

Executive summary

A SQL injection vulnerability in MetaGuru HCM allows authenticated attackers to execute arbitrary database queries, leading to potential data theft or unauthorized modification.

Vulnerability

This is a SQL injection vulnerability (CWE-89) that fails to properly sanitize special elements used in SQL commands. It requires an authenticated user to exploit, allowing them to interfere with the application's database backend.

Business impact

Successful exploitation allows attackers to bypass standard application logic to read, modify, or delete sensitive records stored in the database. With a CVSS score of 8.8, this poses a significant threat to data integrity and confidentiality, potentially resulting in severe operational disruption or regulatory non-compliance.

Remediation

Immediate Action: Upgrade MetaGuru HCM to version 7.5.3 or 8.1.7.1, depending on the current branch, to resolve the injection flaw.

Proactive Monitoring: Enable database query logging to detect anomalous or highly complex SQL commands that deviate from standard application behavior.

Compensating Controls: Apply parameterized query enforcement or use a Web Application Firewall (WAF) with SQL injection detection capabilities to filter malicious input.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations should treat this SQL injection vulnerability with high urgency. Patching the application is the primary defense; until updates are applied, restrict access to the application to trusted users only and implement strict input validation controls.