Description
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.
This issue was fixed in 6.30@A04.4_u06.
Published: 2026-02-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized database access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a lack of input validation in the search functionality of the "Obroty na kontach" window in Simple.ERP. An authenticated user can inject malicious SQL into the query, allowing the attacker to read or modify data in the database. The flaw is an example of CWE‑89, a classic SQL injection weakness that compromises confidentiality, integrity, and potentially availability of the system’s data.

Affected Systems

The affected product is Simple.ERP from Simple SA. Versions prior to the 6.30@A04.4_u06 release are vulnerable; the issue was fixed in that specific build. The patch applies to all build versions preceding 6.30@A04.4_u06.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity, while an EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability requires authentication, implying that the attacker must first gain valid credentials. Based on the description, it is inferred that an attacker would log into the system, navigate to the "Obroty na kontach" window and inject a crafted query. The limited EPSS suggests that this is not currently a high‑volume attack but remains a serious threat should credentials be compromised.

Generated by OpenCVE AI on April 17, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Simple.ERP to version 6.30@A04.4_u06 or later to apply the vendor‑provided fix.
  • Implement server‑side input validation for the "Obroty na kontach" search field to prevent malicious query construction.
  • Restrict access to the "Obroty na kontach" feature or enforce least‑privilege database connections to limit potential data exposure.

Generated by OpenCVE AI on April 17, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Simple Sa
Simple Sa simple.erp
Vendors & Products Simple Sa
Simple Sa simple.erp

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed. This issue was fixed in 6.30@A04.4_u06.
Title SQL Injection in SIMPLE.ERP
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Simple Sa Simple.erp
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-02-26T14:27:02.779Z

Reserved: 2026-01-19T14:01:03.414Z

Link: CVE-2026-1198

cve-icon Vulnrichment

Updated: 2026-02-26T14:23:09.548Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T12:15:58.550

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses