CVE-2026-6833
SQL Injection in a+HRD Allows Authenticated Data Exposure
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aenrich | a+hrd | to 7.1 (exc) |
| aenrich | a+hrd | From 6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6833 is a SQL Injection vulnerability in the a+HRD software developed by aEnrich, affecting versions 7.1 and earlier.
This vulnerability allows authenticated remote attackers to inject arbitrary SQL commands into the system.
By exploiting this flaw, attackers can read the contents of the database without proper authorization.
How can this vulnerability impact me? :
The vulnerability impacts the confidentiality of the data stored in the a+HRD database.
An authenticated attacker can remotely inject SQL commands to read sensitive database contents.
There is no impact on data integrity or availability, but unauthorized data disclosure can lead to privacy breaches and information leakage.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-6833 vulnerability, it is recommended to upgrade the a+HRD software to version 6.8 or later.
Additionally, apply the latest patches provided by the vendor to address this SQL Injection vulnerability.
If needed, contact aEnrich customer service or vendor support for assistance with the upgrade and patching process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated remote attackers to inject arbitrary SQL commands and read database contents, impacting the confidentiality of data.
This breach of confidentiality could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive personal and health information from unauthorized access.
However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.