CVE-2025-34136

Medium CVSS 6.9

Overview

An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.

CWE: CWE-89 Published: 2025-07-25T16:15:28.650

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.9 (MEDIUM)
Detected tags: sql, unauth_access (tag impact: HIGH)

Recommended actions:

Use parameterized queries/ORM (avoid string concatenation).
Add WAF rules and input validation.
Enforce authentication/authorization; reduce default endpoint exposure.

Overview

Recommended tools

Tags