From a12cc74d9e0d9db928639a92b7651cc98fda99d1 Mon Sep 17 00:00:00 2001
From: Kenny Moens <kmoens@users.noreply.github.com>
Date: Thu, 16 Apr 2026 13:41:54 +0200
Subject: [PATCH] Improve GHSA-2p5w-cvg5-gc5c

---
 .../GHSA-2p5w-cvg5-gc5c.json                  | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/advisories/unreviewed/2026/01/GHSA-2p5w-cvg5-gc5c/GHSA-2p5w-cvg5-gc5c.json b/advisories/unreviewed/2026/01/GHSA-2p5w-cvg5-gc5c/GHSA-2p5w-cvg5-gc5c.json
index 3130b3a6a5835..b19b1d852f0c0 100644
--- a/advisories/unreviewed/2026/01/GHSA-2p5w-cvg5-gc5c/GHSA-2p5w-cvg5-gc5c.json
+++ b/advisories/unreviewed/2026/01/GHSA-2p5w-cvg5-gc5c/GHSA-2p5w-cvg5-gc5c.json
@@ -6,6 +6,7 @@
   "aliases": [
     "CVE-2026-0603"
   ],
+  "summary": "A remote attacker with low privileges could exploit a second-order SQL injection vulnerability ",
   "details": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.",
   "severity": [
     {
@@ -13,7 +14,27 @@
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.hibernate:hibernate-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.2.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 5.6.16"
+      }
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",