CVE-2026-25606

HIGH

SQL Injection in STER

Title source: cna

Description

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5.

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://cert.pl/posts/2026/05/CVE-2026-25606

Product product

https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480

Scores

CVSS v4 8.7

EPSS 0.0022

EPSS Percentile 12.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy/STER < 9.5

Published May 22, 2026

Tracked Since May 22, 2026