Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated, low-complexity, network-reachable SQL injection with no user interaction (PR:N/UI:N/AC:L), impacting only confidentiality via database read (C:H, I:N, A:N).
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
AnalysisAI
SQL injection in PROG MIS's Prog Management System allows unauthenticated remote attackers to inject arbitrary SQL commands and read arbitrary database contents. The flaw carries a CVSS 4.0 base score of 8.7 (High) and requires no authentication, privileges, or user interaction, but its impact is limited to confidentiality (data disclosure) rather than data modification or service disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation is possible against network-reachable deployments of Prog Management System, per the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N (no authentication, no privileges, no user interaction, low complexity). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes a low-complexity, network-reachable, fully unauthenticated attack with no user interaction - an easy-to-exploit profile that justifies the 8.7 High rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the network locates an internet-exposed Prog Management System instance and submits a crafted HTTP request in which a vulnerable parameter contains SQL metacharacters (e.g., a UNION SELECT or blind boolean payload). Because input is not sanitized, the injected SQL executes against the backend database, letting the attacker enumerate tables and exfiltrate sensitive records such as user credentials or personal data. … |
| Remediation | No vendor-released patch version is identified in the available data, so consult the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html and https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html) and contact PROG MIS directly for a fixed release, then upgrade to the patched version once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running PROG MIS's Prog Management System and restrict network exposure of affected instances to essential users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prog Management System
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41822
GHSA-4r22-42g6-89f9