BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
No data.
No data.
No data.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 19 May 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands. | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-05-19T15:10:48.852Z
Reserved: 2026-03-09T00:00:00.000Z
Link: CVE-2026-31069
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-05-19T16:16:20.230
Modified: 2026-05-19T16:16:20.230
Link: CVE-2026-31069
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.