Skip to main content

STER CVE-2026-25606

| EUVDEUVD-2026-31422 HIGH
SQL Injection (CWE-89)
2026-05-22 CERT-PL GHSA-6vwp-cg8j-vqgh
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 22, 2026 - 10:15 vuln.today
Patch available
May 22, 2026 - 10:01 EUVD

DescriptionCVE.org

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access

This issue was fixed in version 9.5.

AnalysisAI

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Technical ContextAI

STER is a web application maintained by Poland's Central Institute for Labour Protection - National Research Institute (CIOP-PIB), as indicated by the CPE string cpe:2.3:a:centralny_instytut_ochrony_pracy_-_państwowy_instytut_badawczy:ster. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input passed through Search Filter parameters is concatenated into SQL statements without parameterization or proper escaping. Because the injection lives in search filters, an authenticated session is sufficient to manipulate the underlying database queries and bypass the application's intended row/column access boundaries.

RemediationAI

Vendor-released patch: STER 9.5 - upgrade all STER instances to version 9.5 or later, which the vendor identifies as the fixed release. Operators should consult the CERT-PL advisory at https://cert.pl/posts/2026/05/CVE-2026-25606 and the vendor at https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl for upgrade instructions. If immediate upgrade is not possible, restrict network access to the application to trusted internal users only and place the application behind a WAF with SQLi rules tuned to the affected Search Filter parameters, accepting that WAF rules can produce false positives on legitimate complex queries; additionally, revoke or tightly scope database account privileges used by the application so that any successful injection cannot read tables beyond the minimum required, with the trade-off of potential application functionality breakage if least-privilege has not been validated.

Share

CVE-2026-25606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy