Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in the Wakyma application web

Posted date 16/03/2026
Identificador
INCIBE-2026-0196
Importance
4 - High
Affected Resources

Wakyma application web.

Description

INCIBE has coordinated the publication of 5 vulnerabilities, 3 high and 2 medium affecting the application web of Wakyma, a management and marketing software for veterinary centers. The vulnerabilities were discovered by Bruno López Trigo (n0d0n).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2026-3020: CVSS v4.0: 8.6 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE- 639
  • CVE-2026-3021: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE- 943
  • CVE-2026-3022: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE- 943
  • CVE-2026-3023: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE- 943
  • CVE-2026-3024: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N| CWE-79
Solution

Wakyma has fixed the vulnerabilities in the continuous integration deployed in production since February 19, 2026.

Detail
  • CVE-2026-3020: Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts.
  • CVE-2026-3021: Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.
  • CVE-2026-3022: Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
  • CVE-2026-3023: Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands, allowing them to list both pets and owner names.
  • CVE-2026-3024: Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey that would harm the entire veterinary team. At the same time, a user with low privileges could exploit this vulnerability to access unauthorized data and perform actions with elevated privileges.
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-3020 Alta No Wakyma
CVE-2026-3021 Alta No Wakyma
CVE-2026-3022 Alta No Wakyma
CVE-2026-3023 Media No Wakyma
CVE-2026-3024 Media No Wakyma
References list
Management and marketing software for veterinary centers
Etiquetas