CVE-2026-30711 identifies multiple authenticated SQL injection vulnerabilities in Devome GRR version 4.5.0, located in the include/session.inc.php file. The injection points are the HTTP headers 'referer' and 'user-agent', which are improperly sanitized before being used in SQL queries. An attacker with authenticated access and low privileges can exploit these injection points to execute arbitrary SQL commands on the backend database. This can lead to unauthorized data disclosure, modification, or deletion, as well as potential full system compromise. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 8.8, reflecting a network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are currently known, and no patches have been linked yet. However, the vulnerability's presence in a forensic and incident response tool like Devome GRR raises concerns about the potential for attackers to manipulate or exfiltrate sensitive forensic data, undermining investigations and response efforts.

The impact of CVE-2026-30711 is significant for organizations using Devome GRR 4.5.0, especially those relying on it for digital forensics and incident response. Successful exploitation can lead to unauthorized access to sensitive forensic data, alteration or deletion of critical investigation records, and potential full system compromise. This undermines the integrity and reliability of forensic evidence, which can have legal and operational consequences. The vulnerability's network accessibility and low privilege requirement increase the risk of exploitation by insider threats or compromised user accounts. Organizations may face data breaches, loss of trust, regulatory penalties, and disruption of security operations. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score indicates that exploitation would be severe.

1. Immediately restrict access to Devome GRR instances to trusted networks and users only, minimizing exposure. 2. Implement strict input validation and sanitization for HTTP headers, especially referer and user-agent, at the application or web server level as a temporary control. 3. Monitor logs for unusual or malformed referer and user-agent header values that could indicate exploitation attempts. 4. Enforce the principle of least privilege for all authenticated users to limit potential damage from exploitation. 5. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting these headers. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Conduct regular security assessments and penetration tests focusing on authenticated attack vectors. 8. Educate administrators and users about the risks of SQL injection and the importance of secure coding and configuration practices. 9. Consider isolating forensic tools like Devome GRR from other critical infrastructure to contain potential compromises.