{"id":82125,"date":"2026-07-17T05:48:11","date_gmt":"2026-07-17T02:18:11","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-62238-openremote-1-26-0-sql-injection-via-crosstab-export\/"},"modified":"2026-07-17T05:48:11","modified_gmt":"2026-07-17T02:18:11","slug":"cve-2026-62238-openremote-1-26-0-sql-injection-via-crosstab-export","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-62238-openremote-1-26-0-sql-injection-via-crosstab-export\/","title":{"rendered":"CVE-2026-62238 &#8211; OpenRemote &lt; 1.26.0 SQL Injection via Crosstab Export"},"content":{"rendered":"<p>CVE ID :CVE-2026-62238<\/p>\n<p>  Published : July 17, 2026, 2:18 a.m. | 1\u00a0hour, 17\u00a0minutes ago<\/p>\n<p>  Description :OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.<\/p>\n<p>  Severity: 7.2 | HIGH<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-62238 Published : July 17, 2026, 2:18 a.m. | 1\u00a0hour, 17\u00a0minutes ago Description :OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-82125","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=82125"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82125\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=82125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=82125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=82125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}