CRITICAL
Umami Software application
CVE published 2026-03-31
CVE-2026-4317
A critical SQL injection vulnerability exists in Umami Software's web application, where the 'timezone' request parameter is improperly sanitized before being interpolated into database queries. The vulnerability stems from unsafe use of raw query functions including 'prisma.rawQuery', 'prisma.$queryRawUnsafe', and raw ClickHouse queries, allowing authenticated attackers to execute arbitrary SQL commands. [truncated]