CVE-2026-10880
published 2026-06-04CVE-2026-10880: OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.44%
34.9th percentile
OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osnexus | quantastor | >= 5.9 < 6.6.1 | 6.6.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Osnexus QuantaStor up to 6.6.0 Login Endpoint Username sql injection
vuldb·2026-06-04·CVSS 9.8
CVE-2026-10880 [CRITICAL] Osnexus QuantaStor up to 6.6.0 Login Endpoint Username sql injection
A vulnerability classified as critical was found in Osnexus QuantaStor up to 6.6.0. This vulnerability affects unknown code of the component Login Endpoint. The manipulation of the argument Username results in sql injection.
This vulnerability is reported as CVE-2026-10880. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint.
ghsa_unreviewed·2026-06-04
CVE-2026-10880 [CRITICAL] CWE-89 OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint.
OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published