Description
The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Published: 2026-04-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure
Action: Immediate Patch
AI Analysis

Impact

The a+HRD application developed by aEnrich contains a SQL Injection flaw that allows authenticated remote attackers to inject arbitrary SQL commands, enabling the extraction of database contents. This vulnerability compromises the confidentiality of sensitive data stored by the application. Although the attack requires prior authentication, the attacker can potentially read, modify, or delete information, thereby exposing business logic secrets and customer data.

Affected Systems

All installations of a+HRD by aEnrich are vulnerable; the advisory recommends upgrading to version 6.8 or later and applying the latest patches. No specific version range is listed beyond that requirement, so unsupported or older deployments remain at risk.

Risk and Exploitability

The CVSS score of 7.1 classifies this issue as high severity. Because the vulnerability is only exploitable by authenticated users, the exploitation likelihood depends on the attacker’s ability to gain valid credentials. No EPSS score is available and the vulnerability is not currently listed in the CISA KEV catalog, indicating no known widespread exploitation at this time. The primary attack vector is an authenticated remote request to the application that submits malicious SQL payloads.

Generated by OpenCVE AI on April 22, 2026 at 06:08 UTC.

Remediation

Vendor Solution

Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance.

OpenCVE Recommended Actions

  • Upgrade a+HRD to version 6.8 or later and apply the latest patches as recommended by aEnrich.
  • Reconfigure the database account used by a+HRD to grant only the minimum privileges required, avoiding discretionary SELECT permissions on non‑critical tables.
  • Validate all user-supplied input in the application or use parameterized queries so that data cannot form part of executable SQL.

Generated by OpenCVE AI on April 22, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Aenrich
Aenrich a+hrd
Vendors & Products Aenrich
Aenrich a+hrd

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Title aEnrich|a+HRD - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aenrich A+hrd
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-22T12:45:37.247Z

Reserved: 2026-04-22T02:48:33.880Z

Link: CVE-2026-6833

cve-icon Vulnrichment

Updated: 2026-04-22T12:45:33.105Z

cve-icon NVD

Status : Received

Published: 2026-04-22T04:16:07.303

Modified: 2026-04-22T04:16:07.303

Link: CVE-2026-6833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses