PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44923 Veritas CVE debrief

CVE-2026-44923 is a medium-severity SQL injection vulnerability affecting InfoScale VIOM before v9.1.3. According to the supplied NVD record, it is network-reachable, requires no user interaction, and can allow remote attackers to escalate privileges. The record is still marked "Awaiting Analysis" in NVD, and the official references point to vendor security bulletin material for InfoScale Operations Manager / IOM web application guidance.

Vendor
Veritas
Product
InfoScale VIOM
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Administrators and security teams responsible for Veritas/InfoScale management web applications, especially any VIOM/IOM deployment exposed to internal or external networks. This is most important for teams that manage privileged infrastructure through the web interface and for organizations that rely on rapid patching of management-plane services.

Technical summary

The supplied record describes CVE-2026-44923 as an SQL injection issue (CWE-89) in InfoScale VIOM before v9.1.3. NVD assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating a network-accessible vulnerability with no privileges or user interaction required. The listed impact is privilege escalation, and the official references include vendor support/bulletin pages tied to the InfoScale Operations Manager / IOM web application. The exact product naming in the source set is inconsistent, so attribution should be handled carefully and verified against the vendor bulletin for the affected deployment.

Defensive priority

Medium severity overall, but prioritize quickly if the management web application is reachable from untrusted or broadly accessible networks.

Recommended defensive actions

  • Inventory InfoScale VIOM/IOM deployments and confirm whether any instance is running a version earlier than v9.1.3.
  • Apply the vendor-recommended update path to v9.1.3 or later using the official bulletin guidance.
  • Restrict access to the management web application to trusted administrative networks only.
  • Review authentication, privilege, and application logs for unusual requests or unexpected privilege changes.
  • Validate that the management plane is segmented from general user and internet-facing traffic.
  • Reassess exposure after remediation to ensure no legacy instances remain online.

Evidence notes

The debrief is based only on the supplied corpus. NVD lists CVE-2026-44923 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N and weakness CWE-89, and it states vulnStatus "Awaiting Analysis." The source references point to an official support bulletin titled "InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925" and a Veritas support document, which support the product-family context but also show naming inconsistency with the CVE title's "InfoScale VIOM." The provided published and modified timestamps are both 2026-05-20.

Official resources

Publicly disclosed in the supplied corpus on 2026-05-20, with the NVD record also modified that same day. No KEV entry is present in the provided enrichment data.