What is CVE-2026-5372?

CVE-2026-5372 is a medium-severity vulnerability in Runzero Platform, classified under SQL Injection. CVSS score: 6.4/10. Published 2026-04-07.

How severe is CVE-2026-5372?

Medium severity. CVSS v3 base score is 6.4 out of 10.

SQL Injection in Runzero Platform

CVE-2026-5372

An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and has…

Vulnerability class: SQL Injection

EPSS: 0.000 (11.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H.

Affected products

Runzero Platform — versions 4.0.260123.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

help.runzero.com/docs/release-notes/ (release-notes)
www.runzero.com/advisories/runzero-platform-saved-sqli-cve-2026-5372/ (vendor-advisory)

Frequently asked questions

What is CVE-2026-5372?: CVE-2026-5372 is a medium-severity vulnerability in Runzero Platform, classified under SQL Injection. CVSS score: 6.4/10. Published 2026-04-07.
How severe is CVE-2026-5372?: Medium severity. CVSS v3 base score is 6.4 out of 10.