This vulnerability (CVE-2026-54827) is an improper neutralization of special elements used in an SQL command (CWE-89) in contempoinc Real Estate 7. It affects versions up to 3.5.9 and allows unauthenticated attackers to perform SQL Injection attacks. The CVSS 3.1 base score is 9.3, indicating critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and a scope change. The impact is high confidentiality loss and low availability impact. No patch or official remediation level has been published yet.

An unauthenticated attacker can exploit this SQL Injection vulnerability to execute arbitrary SQL commands on the backend database, potentially leading to disclosure of sensitive data (high confidentiality impact). The integrity impact is not indicated, and availability impact is low. This could compromise the confidentiality of the system's data without requiring authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing web application firewall (WAF) rules to detect and block SQL Injection attempts and restrict database permissions to minimize potential damage.