CVE-2026-4594 is a SQL injection vulnerability found in the erupt open-source framework, specifically affecting versions 1.13.0 through 1.13.3. The vulnerability resides in the geneEruptHqlOrderBy function within the erupt-jpa module (erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java). This function processes the sort.field parameter, which is used to construct Hibernate Query Language (HQL) order by clauses. Due to insufficient input validation or sanitization, an attacker can manipulate this parameter to inject arbitrary SQL code into the HQL query. Since Hibernate translates HQL into SQL, this injection can lead to unauthorized database queries, potentially exposing or altering sensitive data. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor was notified early but has not responded or issued a patch, and exploit details have been publicly disclosed, raising the likelihood of exploitation. The CVSS 4.0 base score is 6.9, indicating medium severity, with network attack vector, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet, but public disclosure increases risk. The lack of vendor response means organizations must rely on mitigations or workarounds until an official fix is available.

The primary impact of CVE-2026-4594 is unauthorized access to or manipulation of database contents managed by applications using the erupt framework. Attackers can exploit the SQL injection to read sensitive data, modify records, or potentially escalate attacks to compromise the underlying database server. This can lead to data breaches, loss of data integrity, and disruption of application functionality. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to publicly accessible services using affected versions. Organizations relying on erupt for critical data operations may face regulatory compliance issues, reputational damage, and operational downtime if exploited. The medium severity score reflects that while the impact is serious, the scope is limited to applications using the vulnerable function and versions. However, the public availability of exploit information increases the urgency for mitigation. The absence of a vendor patch means that the threat may persist for an extended period, increasing exposure.

To mitigate CVE-2026-4594, organizations should first identify all instances of erupt framework usage, particularly versions 1.13.0 through 1.13.3. Until an official patch is released, the following specific actions are recommended: 1) Disable or restrict the functionality that uses the geneEruptHqlOrderBy function if feasible, especially any user-controllable sorting features. 2) Implement strict input validation and sanitization on the sort.field parameter to allow only known safe field names or whitelist acceptable values. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious HQL or SQL injection patterns targeting the vulnerable parameter. 4) Isolate database access for erupt-based applications with least privilege principles to limit potential damage. 5) Monitor database logs and application logs for unusual query patterns indicative of injection attempts. 6) Prepare incident response plans for potential exploitation scenarios. 7) Engage with the erupt community or maintainers to track patch developments and apply updates promptly once available. 8) Consider alternative frameworks or versions if mitigation is not feasible in the short term.