Search criteria
3 vulnerabilities by Delinea Inc.
CVE-2025-12812 (GCVE-0-2025-12812)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:10 – Updated: 2026-02-19 16:09
VLAI?
Title
Cloud Suite and Privilege Access Service – SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.
Remediation: This issue is fixed in Cloud Suite: 25.1
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delinea Inc. | Cloud Suite and Privileged Access Service |
Affected:
23.1.2 and earlier
Unaffected: 25.1 and above |
Credits
Dawid Dudek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:08:54.271880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:09:52.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud Suite and Privileged Access Service",
"vendor": "Delinea Inc.",
"versions": [
{
"status": "affected",
"version": "23.1.2 and earlier"
},
{
"status": "unaffected",
"version": "25.1 and above"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dawid Dudek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command\n(\u0027SQL Injection\u0027) in Delinea Inc. Cloud Suite and Privileged Access Service.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\nRemediation: This issue is fixed in Cloud Suite: 25.1\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command\n(\u0027SQL Injection\u0027) in Delinea Inc. Cloud Suite and Privileged Access Service.\n\n\nRemediation: This issue is fixed in Cloud Suite: 25.1"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:24:40.788Z",
"orgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"shortName": "Delinea"
},
"references": [
{
"url": "https://trust.delinea.com/?tcuUid=9681f2f0-f9b2-4c7a-abc6-1fcd65c34f46"
},
{
"url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.1.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cloud Suite and Privilege Access Service \u2013 SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"assignerShortName": "Delinea",
"cveId": "CVE-2025-12812",
"datePublished": "2026-02-18T22:10:35.049Z",
"dateReserved": "2025-11-06T16:31:45.982Z",
"dateUpdated": "2026-02-19T16:09:52.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12811 (GCVE-0-2025-12811)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:08 – Updated: 2026-02-19 16:04
VLAI?
Title
Cloud Suite and Privilege Access Service– HTTP request smuggling vulnerability
Summary
Improper Inconsistent Interpretation of
HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and
Privileged Access Service.
If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 (agent 6.0.1) or later. * If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions:
* Server Suite release 2023.0.5 (agent version 6.0.0-158)
* Server Suite release 2022.1.10 (agent version 5.9.1-337)
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delinea Inc. | Cloud Suite and Privileged Access Service |
Unaffected:
25.1 HF5
Affected: 25.1 HF4 and earlier |
Credits
Dawid Dudek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:02:55.787935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:04:19.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud Suite and Privileged Access Service",
"vendor": "Delinea Inc.",
"versions": [
{
"status": "unaffected",
"version": "25.1 HF5"
},
{
"status": "affected",
"version": "25.1 HF4 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dawid Dudek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Inconsistent Interpretation of\nHTTP Requests (\u0027HTTP Request Smuggling\u0027) in Delinea Inc. Cloud Suite and\nPrivileged Access Service.\u003cbr\u003e\u003cbr\u003eIf you\u0027re not using the latest Server Suite agents, this fix \u003cb\u003erequires that you upgrade\u0026nbsp;\u003c/b\u003eto Server Suite 2023.1 (agent 6.0.1) or later.\u003cul\u003e\u003cli\u003e\u003cp\u003eIf you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eServer Suite release 2023.0.5 (agent version 6.0.0-158)\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eServer Suite release 2022.1.10 (agent version 5.9.1-337)\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Improper Inconsistent Interpretation of\nHTTP Requests (\u0027HTTP Request Smuggling\u0027) in Delinea Inc. Cloud Suite and\nPrivileged Access Service.\n\nIf you\u0027re not using the latest Server Suite agents, this fix requires that you upgrade\u00a0to Server Suite 2023.1 (agent 6.0.1) or later. * If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions:\n\n * Server Suite release 2023.0.5 (agent version 6.0.0-158)\n\n\n * Server Suite release 2022.1.10 (agent version 5.9.1-337)"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:23:56.385Z",
"orgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"shortName": "Delinea"
},
"references": [
{
"url": "https://trust.delinea.com/?tcuUid=d512dd6a-fa40-421c-ac11-1be280b1cb83"
},
{
"url": "https://docs.delinea.com/online-help/cloud-suite/release-notes/cloud-suite/25.1.htm#Resolved2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cloud Suite and Privilege Access Service\u2013 HTTP request smuggling vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"assignerShortName": "Delinea",
"cveId": "CVE-2025-12811",
"datePublished": "2026-02-18T22:08:25.254Z",
"dateReserved": "2025-11-06T16:31:44.269Z",
"dateUpdated": "2026-02-19T16:04:19.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12810 (GCVE-0-2025-12810)
Vulnerability from cvelistv5 – Published: 2026-01-27 19:46 – Updated: 2026-01-27 20:51
VLAI?
Title
Failure in Password Rotation and Check-in Mechanism in Secret Server Allows Reuse of Credentials
Summary
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.
A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.
Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delinea Inc. | Secret Server On-Prem |
Affected:
11.8.1
Affected: 11.9.6 Affected: 11.9.25 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12810",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T20:35:38.756081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T20:51:42.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://trust.delinea.com/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"RPC Password Rotation"
],
"product": "Secret Server On-Prem",
"vendor": "Delinea Inc.",
"versions": [
{
"status": "affected",
"version": "11.8.1"
},
{
"status": "affected",
"version": "11.9.6"
},
{
"status": "affected",
"version": "11.9.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).\u003cp\u003eThis issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.\u003c/p\u003e\u003cp\u003eA secret with \"change password on check in\" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.\u003c/p\u003e\u003cp\u003eRemediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.\n\nA secret with \"change password on check in\" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.\n\nRemediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T20:40:23.186Z",
"orgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"shortName": "Delinea"
},
"references": [
{
"url": "https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm"
},
{
"url": "https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Failure in Password Rotation and Check-in Mechanism in Secret Server Allows Reuse of Credentials",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1443cd92-d354-46d2-9290-d812316ca43a",
"assignerShortName": "Delinea",
"cveId": "CVE-2025-12810",
"datePublished": "2026-01-27T19:46:04.677Z",
"dateReserved": "2025-11-06T16:31:41.109Z",
"dateUpdated": "2026-01-27T20:51:42.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}