[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC
[+] twitter.com/_striv3r_

[Vendor of Product]
RSI Queue (https://www.rsiqueue.com/)

[Vulnerability Type]
Blind SQL Injection

[Affected Component]
The vulnerable component is the TaskID parameter in the get request.

[CVE Reference]
CVE-2025-26086

[Security Issue]
An unauthenticated blind SQL injection vulnerability exists in RSI Queue
Management System v3.0 within the TaskID parameter of the get request
handler. Attackers can remotely inject time-delayed SQL payloads to induce
server response delays, enabling time-based inference and iterative
extraction of sensitive database contents without authentication.

[Attack Vectors]
An attacker sends malicious SQL payloads in the TaskID parameter to trigger
time delays. The server executes these queries, and the response time
reveals boolean results, enabling iterative database enumeration.

[Network Access]
Remote

[Severity]
Critical

[Disclosure Timeline]
Vendor Notification: October 16, 2024
Vendor released fixed: May 2, 2025