Skip to main content

Ster

3 CVEs product

Monthly

CVE-2026-25608 LOW PATCH Monitor

Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).

Information Disclosure Ster
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-25607 MEDIUM PATCH This Month

Weak password encoding in STER (all versions before 9.5) exposes stored credentials to local reverse-engineering by any low-privileged user on the system. The root cause (CWE-261) is use of a reversible or insufficiently one-way encoding scheme rather than a cryptographically strong hashing algorithm, enabling an attacker who can observe encoded password data to deduce plaintext values by analyzing patterns across known-value samples. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact (VC:H in CVSS 4.0) confirms that successful exploitation fully exposes affected credentials. The issue was reported by CERT-PL and fixed by CIOP-PIB in version 9.5.

Information Disclosure Ster
NVD
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-25606 HIGH PATCH This Week

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure SQLi Ster
NVD
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).

Information Disclosure Ster
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Weak password encoding in STER (all versions before 9.5) exposes stored credentials to local reverse-engineering by any low-privileged user on the system. The root cause (CWE-261) is use of a reversible or insufficiently one-way encoding scheme rather than a cryptographically strong hashing algorithm, enabling an attacker who can observe encoded password data to deduce plaintext values by analyzing patterns across known-value samples. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact (VC:H in CVSS 4.0) confirms that successful exploitation fully exposes affected credentials. The issue was reported by CERT-PL and fixed by CIOP-PIB in version 9.5.

Information Disclosure Ster
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure SQLi Ster
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy