Bacula-Web CVE-2025-45346
· One min read
Affected versions
Bacula-Web versions < 9.7.1 are affected by an SQLi vulnerability.
I strongly encourage all users to upgrade to latest available stable release as soon as possible.
Description
An authenticated attacker can exploit SQL injection (SQLi) vulnerabilities in the database through the web application.
For more details, see CVE-2025-45346
Resolution
The way to handle user input and query the database in Job file reports has now been fixed.
The patch can be found here
Credits
Thanks to Kevin Suckiel for reporting the issue.
info
Update
Bacula-Web Docker images with versions prior to 9.7.1 have been removed from the Docker Hub registry.