CVE-2025-46546HIGH 8.8EPSS p24.8%

CVE-2025-46546CVE-2025-46546

Description

In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.8% · 2026-06-18T12:00:27Z
Published2025-04-25
Last modified2025-10-16

Underlying weaknesses· 1

CWE-89

References

  1. https://deiteriy.com
  2. https://gist.github.com/ArtemBrylev/59b4c0825a988f39a58b79e4e8d2f378
  3. https://sherparpa.com
  4. https://twitter.com/ArtyomBrylev

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-13214
CVE
CVE-2025-6724
CVE
CVE-2025-22523
CVE
CVE-2026-40546
CVE
CVE-2025-39569
CVE
CVE-2025-45346
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.