CVE-2026-27851: Safe Filter Bug Enables SQL/LDAP Injection

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-235
CVE-2026-27851: Safe Filter Bug Enables SQL/LDAP Injection

The National Vulnerability Database has issued an advisory for CVE-2026-27851, a high-severity vulnerability (CVSS 7.4) where the ‘safe’ filter, when used with variable expansion, incorrectly extends its safety interpretation to subsequent pipelines on the same string. This flaw allows for unsafe data to be unescaped, opening the door for SQL or LDAP injection attacks, particularly concerning in authentication contexts.

This vulnerability fundamentally undermines the intended security controls of the ‘safe’ filter. Attackers can leverage this misinterpretation to bypass input sanitization, injecting malicious payloads that could lead to unauthorized access, data exfiltration, or system compromise. While no public exploits are currently known, the risk of injection attacks, especially those targeting authentication mechanisms, is significant and often leads to widespread impact.

Defenders should prioritize patching systems utilizing the ‘safe’ filter with variable expansion as soon as a fix becomes available. Until then, the National Vulnerability Database advises avoiding the use of the ‘safe’ filter in such configurations. Organizations must review their codebases and configurations to identify any instances where this pattern might be present, especially in critical authentication flows.

What This Means For You

  • If your applications use a 'safe' filter with variable expansion, you are exposed to potential SQL/LDAP injection. Audit your codebase immediately for this pattern and either patch to a fixed version or disable the 'safe' filter where variable expansion is used, especially in authentication logic. This is a direct path to compromise.

Indicators of Compromise

IDTypeIndicator
CVE-2026-27851 SQLi safe filter with variable expansion incorrectly interprets following pipelines as safe
CVE-2026-27851 LDAP Injection safe filter with variable expansion incorrectly interprets following pipelines as safe
CVE-2026-27851 Auth Bypass unsafe data unescaped via safe filter with variable expansion

Written by SCW Vulnerability Desk

🔎
Vulnerability Intel & Updates Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)

CVE-2026-8111 — SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

vulnerabilityCVEhigh-severityremote-code-executioncwe-89
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)

CVE-2026-8110 — Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

vulnerabilityCVEhigh-severitycwe-732
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti

CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

vulnerabilityCVEmedium-severitycwe-749
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma