External risk intelligence

ureport SQL Injection Allows Database Access

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38158

The vulnerability exists in a reporting component (/ureport/datasource/previewData) of a web application. Such components are commonly deployed as web interfaces or services accessible over the network, making them likely to be exposed as part of a web application's standard external-facing attack surface.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical SQL injection vulnerability has been identified in a component related to data previews within the ureport software. This flaw could potentially allow unauthorized access to sensitive database information. The primary concern at this time is to determine if this software and specific component are in use within our environment.

  • Sensitive data exposure risk exists.
  • Understand if ureport is in use.
  • Confirm relevance and exposure across the organization.

Attack Path

How an attacker could exploit the issue

An attacker could access sensitive database information by sending specially crafted SQL statements to the `/ureport/datasource/previewData` component of ureport. This vulnerability is accessible over the network and does not require any authentication or user interaction to be triggered. Successfully exploiting this flaw could lead to a complete compromise of the database.

  • No authentication required.
  • Crafted SQL sent to `/ureport/datasource/previewData`.
  • Access to sensitive database information.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in the database preview component of ureport could allow unauthenticated attackers to access sensitive database information by submitting malicious SQL queries. This could expose data stored within the application's database.

  • Database information.
  • Crafted SQL statements submitted to the preview component.
  • Exposure of sensitive database contents.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for application code, database administration, and network security will likely need to coordinate on this vulnerability. The first practical step is to identify all instances of the affected reporting component, assess their network reachability and business criticality, and then determine the accountable owner for remediation planning and execution.

  • Application owners should manage the issue.
  • Verify network exposure and business impact.
  • Plan coordinated remediation with vendors.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ureport and what is it used for?

Ureport is a reporting engine often integrated into Java-based web applications to generate and preview data visualizations or reports. It provides tools for users to design and export data sets, which typically involves connecting directly to backend databases to populate the information displayed in the report interface.

What is the vulnerability in CVE-2026-38158?

This vulnerability is a SQL injection, which falls under the CWE-89 weakness class. It occurs when an application improperly handles user-supplied data in a database query. In this specific case, the component responsible for previewing data fails to sanitize inputs, allowing an attacker to inject and execute their own SQL commands against the database.

How does an attacker trigger this SQL injection?

An attacker triggers this flaw by sending a specially crafted SQL statement to the specific path /ureport/datasource/previewData. The vulnerability does not require the attacker to have an account, nor does it require any interaction from a legitimate user. Simply accessing that component with the malicious query is sufficient to initiate the attack.

Is my ureport instance at risk?

According to Halo Surface Signal, this component is designed as a web interface, meaning it is commonly exposed to the network. If your instance is reachable from the internet, it is at higher risk. You should determine if this component is accessible by unauthorized users or if it is restricted to internal network segments only.

What should I do first if I use ureport?

Your first step is to locate all instances of ureport within your environment to confirm if the specific /ureport/datasource/previewData component is active. Once identified, evaluate the network accessibility of these instances and coordinate with your application and database teams to assess the business impact and prepare for remediation.

References