Skip to main content

Nemon Trade Energy CVE-2026-10731

| EUVDEUVD-2026-35387 CRITICAL
SQL Injection (CWE-89)
2026-06-09 INCIBE GHSA-cg52-fw3m-jv5q
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 10:34 vuln.today
CVSS changed
Jun 09, 2026 - 10:22 NVD
9.3 (CRITICAL)

DescriptionCVE.org

SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.

AnalysisAI

Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.

Technical ContextAI

The vulnerability is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw in the 'twoStepsAuthVerification' server-side function of Nemon's Trade Energy and Trade Energy CRM web applications (CPE: cpe:2.3:a:nemon:nemon_trade_energy:*, cpe:2.3:a:nemon:nemon_trade_energy_crm:*). The 'two_steps_auth_code' parameter - intended as a one-time 2FA token check - is concatenated into a backend SQL statement without proper parameterization or input sanitization. Compounding the issue, the 2FA verification endpoint is exposed in the pre-authentication state of the login flow, meaning the SQLi sink can be reached before any credential validation occurs.

RemediationAI

Patch available per vendor advisory - apply the update referenced in the INCIBE-CERT bulletin at https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products as the primary remediation; exact fixed version strings were not provided in the input data and should be confirmed directly with Nemon. Until patching is complete, restrict network exposure of the '/user-login' endpoint by placing the application behind a VPN or IP allowlist (trade-off: blocks legitimate remote users and partner access), and deploy a WAF rule that blocks SQL metacharacters and common SQLi payloads in the 'two_steps_auth_code' POST parameter on the '/user-login' path (trade-off: WAF rules can be bypassed by encoding tricks and may false-positive on legitimate alphanumeric codes). Enable database query logging and alert on anomalous queries originating from the application service account to detect exploitation attempts during the patch window.

Share

CVE-2026-10731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy