HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11561Published Modified CNA TR-CERT

CVE-2026-11561: SSTI in Soagen Informatics' Apinizer

Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection. This issue affects Apinizer: from 2026.04.0 before 2026.04.6.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
2026.04.6
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side template injection (SSTI) vulnerability, technically an expression language injection, affects Apinizer by Soagen Informatics Technologies in versions 2026.04.0 through 2026.04.5. The flaw is reachable over the network without any authentication or user interaction, meaning an unauthenticated remote attacker can send a crafted request directly to the service. Successful exploitation enables arbitrary code execution on the host, giving the attacker full read, write, and availability impact. A patched-image rebuild at version 2026.04.6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apinizer, across every connected registry and CI/CD pipeline. No manual feed subscription or policy change is needed for matching to take effect.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting Apinizer 2026.04.6 becomes available on HarborGuard once an affected image is identified, replacing the vulnerable version in the rebuilt image layer. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Apinizer service over the network; there is no requirement for local access or physical proximity (AV:N).

  • AuthenticationNot required

    No account or credential of any privilege level is needed to trigger the vulnerability (PR:N).

  • Victim interactionNot required

    The attacker does not need a victim to click a link, open a file, or take any other action; exploitation is fully attacker-driven (UI:N).

  • Attack complexityDetail

    Exploit conditions are reliable and free of race conditions or environmental dependencies; a well-formed malicious request is sufficient (AC:L).

Blast Radius

  • A successful attacker executes arbitrary code in the context of the Apinizer process, gaining a foothold on the host.
  • All data accessible to Apinizer, including API configurations, credentials, proxied payloads, and stored secrets, can be read in full.
  • The attacker can modify or delete Apinizer configuration, proxied data, or files writable by the process.
  • The attacker can crash or hang the Apinizer service, disrupting API gateway availability for all consumers routed through it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11561 is active across all connected environments, matching images that include Apinizer versions 2026.04.0 through 2026.04.5 within minutes of the CVE being published. A patched rebuild at version 2026.04.6 is available for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard can rebuild the image at the fixed version, run regression tests, and open a pull request against affected workloads; for high and critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context so reviewers can act without needing to look up the advisory separately. Given the network-exposed, zero-authentication nature of this flaw, upgrading to 2026.04.6 or isolating the Apinizer service behind strict network policy controls should be treated as an immediate priority.

See how HarborGuard automates this

Fix available

2026.04.6
Affected packages
  • Soagen Informatics Technologies Software and Consulting Inc. / Apinizer
    < 2026.04.6 (from 2026.04.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References