CVE-2026-7486: SQLi in Netcad's E-İmar
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Netcad Software Inc. E-İmar allows SQL Injection. This issue affects E-İmar: from 2.10.1.0 before 3.0.2.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 3.0.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A SQL injection vulnerability affects Netcad Software Inc.'s E-İmar application, versions 2.10.1.0 through before 3.0.2. The flaw is reachable over the network without any authentication, meaning an attacker can send crafted HTTP requests directly to the application. Successful exploitation gives the attacker full read, write, and denial-of-service capabilities over the underlying database. A patched-image rebuild at version 3.0.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-7486 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected E-İmar base layers.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.8 (Critical) and weighting it against each environment's compliance policy, then routing the finding to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at E-İmar version 3.0.2 becomes available on HarborGuard for any environment where an affected image version is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The application is exposed over the network, so an attacker must be able to reach the service via HTTP or HTTPS to deliver a malicious SQL payload.
- AuthenticationNot required
No account or session token is needed; the vulnerable endpoint accepts and processes unauthenticated requests.
- Victim interactionNot required
Exploitation is fully server-side; no user action such as clicking a link or opening a file is required.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental pre-configuration.
Blast Radius
- An attacker can read all data stored in the database, including user credentials, session tokens, and any application records managed by E-İmar.
- An attacker can insert, update, or delete database rows, corrupting planning records or injecting malicious data into the application.
- An attacker can crash or hang the database service by issuing resource-exhausting queries, taking the E-İmar application offline.
- Depending on database server configuration, an attacker may escalate to operating-system command execution via database-native file or shell features.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-7486 is active the moment the advisory is ingested, and a rebuild against E-İmar 3.0.2 is queued for any image found running an affected version between 2.10.1.0 and 3.0.2. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads. For high and critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with severity, affected image tags, and the available fix version so engineers can act immediately. Until an upgrade to 3.0.2 is applied, network-policy controls that restrict inbound access to the E-İmar service to trusted IP ranges serve as a compensating control to reduce exposure.
Fix available
- Netcad Software Inc. / E-İmar< 3.0.2 (from 2.10.1.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H