Overview
A critical SQL injection vulnerability tracked as CVE-2026-4321 has been disclosed in Destekz, a web support plugin developed by Turkish agency Raera - Ankara Web Design and Digital Advertising Agency. The flaw carries a CVSS v3.1 base score of 9.8 — the maximum possible for network-exploitable vulnerabilities — and has been assigned CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
The advisory was filed by the Computer Emergency Response Team of the Republic of Turkey (TR-CERT) under reference TR-26-0488 and published at siberguvenlik.gov.tr. All versions of Destekz through February 6, 2026 are affected.
Technical Details
The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H tells the complete story of this vulnerability's severity:
- AV:N (Network) — Remotely exploitable over the internet
- AC:L (Low Complexity) — No special conditions required
- PR:N (No Privileges) — Unauthenticated exploitation
- UI:N (No User Interaction) — Fully passive; the victim does not need to do anything
- C:H / I:H / A:H — Full confidentiality, integrity, and availability impact
An unauthenticated attacker can craft malicious SQL input through vulnerable parameters in Destekz to manipulate the underlying database. Depending on the database server configuration, this could allow complete data exfiltration, modification or destruction of records, and potentially remote code execution via xp_cmdshell or INTO OUTFILE techniques.
No Patch — Product Abandoned
Upon disclosure, TR-CERT contacted Raera and confirmed the Destekz product is no longer supported by the vendor. There is no patch, no workaround, and no fix forthcoming. This places all installations in a permanently vulnerable state unless the plugin is removed.
Organizations running Destekz must take the following immediate action:
- Remove Destekz immediately from all production environments
- Audit database logs for unusual queries indicating prior exploitation
- Rotate all database credentials accessible to the plugin
- Review web access logs for injection patterns (e.g.,
UNION SELECT,'; --,OR 1=1)
Affected Versions
| Product | Vendor | Affected Versions |
|---|---|---|
| Destekz | Raera - Ankara Web Design | All versions through 02/06/2026 |
References
- NVD Advisory
- TR-CERT Advisory TR-26-0488 — siberguvenlik.gov.tr
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command