Skip to main content

Bacula-Web CVE-2025-45346

· One min read
Davide Franco
Official maintainer

Affected versions

Bacula-Web versions < 9.7.1 are affected by this security issue.

I strong encourage all users to upgrade to latest available stable release as soon as possible.

Description

An attacker with credentials can obtain a SQLi over the database through the web application.

For more details, see CVE-2025-45346

Resolution

The way to handle user input and query the database in Job file reports has now been fixed.

The patch can be found here

Credits

Thank to Kevin Suckiel for reporting the issue.