Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access
This issue was fixed in version 9.5.
AnalysisAI
SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Technical ContextAI
STER is a web application maintained by Poland's Central Institute for Labour Protection - National Research Institute (CIOP-PIB), as indicated by the CPE string cpe:2.3:a:centralny_instytut_ochrony_pracy_-_państwowy_instytut_badawczy:ster. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input passed through Search Filter parameters is concatenated into SQL statements without parameterization or proper escaping. Because the injection lives in search filters, an authenticated session is sufficient to manipulate the underlying database queries and bypass the application's intended row/column access boundaries.
RemediationAI
Vendor-released patch: STER 9.5 - upgrade all STER instances to version 9.5 or later, which the vendor identifies as the fixed release. Operators should consult the CERT-PL advisory at https://cert.pl/posts/2026/05/CVE-2026-25606 and the vendor at https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl for upgrade instructions. If immediate upgrade is not possible, restrict network access to the application to trusted internal users only and place the application behind a WAF with SQLi rules tuned to the affected Search Filter parameters, accepting that WAF rules can produce false positives on legitimate complex queries; additionally, revoke or tightly scope database account privileges used by the application so that any successful injection cannot read tables beyond the minimum required, with the trade-off of potential application functionality breakage if least-privilege has not been validated.
Weak password encoding in STER (all versions before 9.5) exposes stored credentials to local reverse-engineering by any
Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data in
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31422
GHSA-6vwp-cg8j-vqgh