CVE-2026-25606
SQL Injection in STER Software
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ster | ster | to 9.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25606 is a SQL injection vulnerability found in the STER software versions below 9.5. It occurs because the application improperly neutralizes user input in multiple search filters. This flaw allows an authenticated attacker to perform SQL injection attacks.
Through this vulnerability, the attacker can access sensitive data belonging to other users or any other data accessible by the application.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows an authenticated attacker to access sensitive information that they should not be able to see. This includes data belonging to other users or any data the application can access.
Such unauthorized data access can lead to data breaches, loss of confidentiality, and potential misuse of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the STER software to version 9.5 or later, as the issue has been fixed in that version.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in STER allows an authenticated attacker to access sensitive data belonging to other users or any data accessible by the application. This unauthorized data exposure can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive information.
By enabling attackers to view sensitive data, the vulnerability undermines confidentiality and data integrity requirements mandated by these standards, potentially resulting in non-compliance and associated legal or financial penalties.