HIGH
BillaBear
CVE published 2026-05-19
CVE-2026-31069
CVE-2026-31069 is a high-severity SQL injection in BillaBear's EventRepository. The issue comes from direct interpolation of user-controlled metric filter names and aggregation properties into SQL via sprintf(), while only the filter values are parameterized. Because the identifiers are not sanitized or quoted, an authenticated attacker with ROLE_ACCOUNT_MANAGER access can influence the query structure an [truncated]