Three unpatched vulnerabilities in Das Parking Management System 6.2.0 expose the platform to OS-level command execution via SQL injection and argument injection against the Search API and an endpoint that invokes SQL Server’s xp_cmdshell stored procedure. No official vendor patch has been confirmed. CVSS 9.8 is sourced from discovery analysis and is not yet confirmed by NVD; EPSS sits at the 1st percentile indicating no confirmed active exploitation, but the attack class warrants immediate containment action regardless of current exploitation likelihood.