Primary

Context

Bacula-web SQL Injection Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A SQL injection vulnerability has been identified in Bacula-web versions prior to 9.7.1. This vulnerability allows remote attackers to execute arbitrary code by sending a crafted HTTP GET request. The issue arises in the job files report for PostgreSQL Bacula catalog.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where Bacula-web is hosted.

Remediation

Users can upgrade to Bacula-web version 9.7.1 or later to address this vulnerability.

Added: Jul 29, 2025, 8:29 PM

Updated: Jul 29, 2025, 8:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

10.0

exploitability

8.1

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

10.0

exploitability

8.1

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bacula-web SQL Injection Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Bacula-web

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating