This vulnerability in KiviCare arises from improper neutralization of special elements in SQL commands, enabling Blind SQL Injection attacks. An attacker with network access and low privileges can exploit this issue without user interaction, potentially compromising data confidentiality and causing limited denial of service. The CVSS 3.1 base score is 8.5, reflecting high severity with network attack vector, low attack complexity, and no user interaction required. The affected versions include all versions up to 3.6.16. No patch or vendor advisory is currently provided, and the product is not a cloud service.

Successful exploitation can lead to unauthorized disclosure of sensitive information (high confidentiality impact) and limited disruption of service (low availability impact). Integrity impact is not indicated. The vulnerability requires low privileges but no user interaction, making it a significant risk in environments where the vulnerable software is deployed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict network access to the affected application and monitor for suspicious activity related to SQL injection attempts. Avoid exposing the vulnerable system to untrusted networks.