CVE-2026-4594 is a SQL injection vulnerability affecting the erupt open-source framework, specifically versions 1.13.0 through 1.13.3. The flaw exists in the geneEruptHqlOrderBy function located in erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. This function processes the sort.field parameter, which is used to dynamically construct Hibernate Query Language (HQL) ORDER BY clauses. Due to insufficient input validation or sanitization, an attacker can manipulate this parameter to inject arbitrary SQL code into the HQL query. Since Hibernate translates HQL into SQL queries executed against the underlying database, this injection can lead to unauthorized data retrieval, modification, or deletion. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor was informed prior to public disclosure but has not responded or issued a patch. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure and lack of vendor response heighten the urgency for mitigation. This vulnerability primarily affects Java applications using erupt for data persistence and query construction, potentially exposing sensitive database information or enabling data corruption.

The exploitation of CVE-2026-4594 can have significant consequences for organizations using the erupt framework in their Java applications. Successful SQL injection attacks can lead to unauthorized access to sensitive data, including confidential business information, personally identifiable information (PII), or intellectual property. Attackers may also modify or delete critical data, impacting data integrity and availability. Since the vulnerability allows remote exploitation without authentication, attackers can launch attacks from anywhere on the internet, increasing the attack surface. This can result in data breaches, regulatory non-compliance, reputational damage, and operational disruptions. Organizations relying on erupt for database interactions are at risk of compromise, especially if the underlying databases contain critical or sensitive information. The lack of vendor patches further exacerbates the risk, as organizations must implement their own mitigations or risk exposure until a fix is available.

To mitigate CVE-2026-4594, organizations should first audit their use of the erupt framework, identifying all instances of versions 1.13.0 through 1.13.3. Immediate mitigation steps include implementing strict input validation and sanitization on the sort.field parameter to prevent injection of malicious characters or SQL syntax. Employ parameterized queries or prepared statements where possible to avoid dynamic query construction based on user input. If feasible, temporarily disable or restrict functionality that allows user-controlled sorting until a patch is available. Monitor application logs for suspicious query patterns indicative of injection attempts. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block SQL injection payloads targeting the affected endpoints. Organizations should also engage with the erupt community or maintainers to track patch releases and apply updates promptly once available. Additionally, conduct security testing and code reviews focused on query construction to identify and remediate similar injection risks proactively.