org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

GHSA-2P5W-CVG5-GC5C Hibernate vulnerable to SQL Injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

CVE-2026-0603

CVE-2026-0603 : A second-order SQL injection vulnerability in Hibernate Core via the InlineIdsOrClauseBuilder allows a remote attacker with low privileges to craft non-alphanumeric IDs to read sensitive data (e.g., system files) and manipulate or delete data, causing an application‑level denial o...