CVE-2025-34136

EUVD-2025-22723
An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulnCheckCNA
6.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
commvaultcommvault
11.32.0 ≤
𝑥
≤ 11.32.93
CNA
commvaultcommvault
11.36.0 ≤
𝑥
≤ 11.36.51
CNA
commvaultcommvault
11.38.0 ≤
𝑥
≤ 11.38.19
CNA
Common Weakness Enumeration
References
https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html
https://www.vulncheck.com/advisories/commvault-commserve-web-server-unauth-sqli