Description
SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.
Published: 2026-06-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw is a classic SQL injection (CWE‑89) located in the ‘two_steps_auth_code’ input field that the /user-login endpoint processes during two‑factor authentication. Attackers can send crafted payloads before any user is authenticated, causing arbitrary SQL statements to be executed against the database backend. Successful exploitation could give an attacker read access to all data, the ability to create or modify privileged user accounts, change or delete critical data, and even crash the service with denial‑of‑service conditions.

Affected Systems

The vulnerability affects Nemon’s SaaS offerings, specifically Nemon Trade Energy and Nemon Trade Energy CRM. No particular version numbers are listed, which means that any instance running the affected authentication module before the fix is potentially impacted.

Risk and Exploitability

The risk remains high according to the CVSS score of 9.3, but the vulnerability has been fully mitigated by the vendor on 26 May 2026, and there is no documented exploitation. The EPSS score is not available, and the CVE is not listed in the CISA KEV catalog, indicating no known active exploitation. Attackers would need to target the /user-login endpoint, sending malicious payloads in the two_steps_auth_code field before authentication. Because the fix has been applied centrally to all SaaS instances, typical customers need not take action beyond routine monitoring.

Generated by OpenCVE AI on June 9, 2026 at 11:21 UTC.

Remediation

Vendor Solution

The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable.

OpenCVE Recommended Actions

  • Review any custom processing that extends the /user-login endpoint to confirm that all user‑supplied parameters are safely parameterized and that no legacy code paths allow raw SQL injection.
  • Strengthen input validation on all authentication‑related parameters, ensuring that only expected formats are accepted and that data is correctly bound to query parameters.
  • Configure alerting on authentication logs to detect anomalous values or patterns in the two_steps_auth_code field, which may indicate a fresh attempt to abuse SQL injection.

Generated by OpenCVE AI on June 9, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nemon
Nemon nemon Trade Energy
Nemon nemon Trade Energy Crm
Vendors & Products Nemon
Nemon nemon Trade Energy
Nemon nemon Trade Energy Crm

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.
Title SQL injection in Nemon products
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nemon Nemon Trade Energy Nemon Trade Energy Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-09T14:12:27.775Z

Reserved: 2026-06-03T10:39:45.727Z

Link: CVE-2026-10731

cve-icon Vulnrichment

Updated: 2026-06-09T14:12:22.013Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T10:16:42.820

Modified: 2026-06-09T13:51:18.770

Link: CVE-2026-10731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:21:05Z

Weaknesses