Description
A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any
other data that the application itself is able to access

This issue was fixed in version 9.5.
Published: 2026-05-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection that occurs when user input in multiple search filters is not properly neutralized. An authenticated attacker can extract sensitive data belonging to other users or other data that the application itself can access.

Affected Systems

The vulnerability affects the STER application provided by Centralny Instytut Ochrony Pracy – Państwowy Instytut Badawczy. Versions prior to 9.5 are impacted; the fix was applied in version 9.5.

Risk and Exploitability

The CVSS score of 8.7 indicates a high level of severity, and the vulnerability is not yet listed in the CISA KEV catalog. EPSS data is not available, so the exploitation probability is unknown. The description indicates that the attacker must be authenticated, suggesting the attack vector is local or remote within an authenticated session, rather than unauthenticated exploitation.

Generated by OpenCVE AI on May 22, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the STER application to version 9.5 or newer to apply the vendor‑supplied SQL injection fix.
  • Restrict user privileges to the minimum required permissions to reduce the amount of data an attacker can access even if the flaw is exploited.
  • Review and refactor input handling for all search filters to enforce strict parameterized queries and proper input validation to prevent future injection issues.

Generated by OpenCVE AI on May 22, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster
Vendors & Products Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy ster

Fri, 22 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5.
Title SQL Injection in STER
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy Ster
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-22T13:45:12.067Z

Reserved: 2026-02-03T13:12:14.138Z

Link: CVE-2026-25606

cve-icon Vulnrichment

Updated: 2026-05-22T13:44:56.060Z

cve-icon NVD

Status : Received

Published: 2026-05-22T10:16:17.263

Modified: 2026-05-22T10:16:17.263

Link: CVE-2026-25606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:44Z

Weaknesses