CVE-2026-25606

Received Received - Intake

SQL Injection in STER Software

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: CERT.PL

Description

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-22

Last Modified

2026-05-22

Generated

2026-06-12

AI Q&A

2026-05-22

EPSS Evaluated

2026-06-10

NVD

CVE-2026-25606

EUVD

EUVD-2026-31422

Affected Vendors & Products

Vendor	Product	Version / Range
ster	ster	to 9.5 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-25606 is a SQL injection vulnerability found in the STER software versions below 9.5. It occurs because the application improperly neutralizes user input in multiple search filters. This flaw allows an authenticated attacker to perform SQL injection attacks.

Through this vulnerability, the attacker can access sensitive data belonging to other users or any other data accessible by the application.

Impact Analysis

This vulnerability can have serious impacts as it allows an authenticated attacker to access sensitive information that they should not be able to see. This includes data belonging to other users or any data the application can access.

Such unauthorized data access can lead to data breaches, loss of confidentiality, and potential misuse of sensitive information.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the STER software to version 9.5 or later, as the issue has been fixed in that version.

Compliance Impact

The SQL injection vulnerability in STER allows an authenticated attacker to access sensitive data belonging to other users or any data accessible by the application. This unauthorized data exposure can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive information.

By enabling attackers to view sensitive data, the vulnerability undermines confidentiality and data integrity requirements mandated by these standards, potentially resulting in non-compliance and associated legal or financial penalties.

Hi! I’m here to help you understand CVE-2026-25606. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-25606

SQL Injection in STER Software

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart