Full Report
SQL Injection vulnerability (CVE-2026-1198) has been found in Simple.ERP software.
Analysis Summary
# Vulnerability: SQL Injection in Simple.ERP "Obroty na kontach" Window
## CVE Details
- **CVE ID:** CVE-2026-1198
- **CVSS Score:** Not explicitly rated in the article (Typically High for SQLi)
- **CWE:** CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## Affected Systems
- **Products:** Simple.ERP (developed by Simple SA)
- **Versions:** All versions prior to 6.26_u06
- **Configurations:** Systems utilizing the "Obroty na kontach" (Account Turnover) search functionality.
## Vulnerability Description
A classic SQL Injection (SQLi) flaw exists within the search functionality of the "Obroty na kontach" window in the Simple.ERP software. The application fails to properly validate or neutralize user-supplied input before incorporating it into an SQL query. This allows a user to "break out" of the intended query structure and execute arbitrary SQL commands against the backend database.
## Exploitation
- **Status:** Coordinated disclosure; no reports of exploitation in the wild at the time of publication.
- **Complexity:** Low (Standard SQL Injection techniques).
- **Attack Vector:** Network (Authenticated). An attacker must have legitimate login credentials for the ERP system to access the vulnerable window.
## Impact
- **Confidentiality:** High (Potential to extract sensitive financial and corporate data from the ERP database).
- **Integrity:** High (Potential to modify, delete, or insert fraudulent financial records).
- **Availability:** High (Potential to drop tables or disrupt database services).
## Remediation
### Patches
- **Version 6.26_u06:** This version contains a fix for the SQL Injection vulnerability. Users are urged to update to this version or newer immediately.
### Workarounds
- No specific workarounds were provided in the advisory. General SQLi mitigation involves restricting user permissions at the database level to ensure the application user has the "least privilege" necessary.
## Detection
- **Indicators of Compromise:** Unusual SQL syntax in application logs (e.g., apostrophes, `--`, `UNION SELECT`, `OR 1=1`).
- **Detection Methods:** Review database audit logs for unauthorized queries originating from the ERP application service account, specifically targeting account turnover tables.
## References
- **CERT Polska Advisory:** hxxps://cert[.]pl/en/posts/2026/02/CVE-2026-1198/
- **CVE Record:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-1198
- **CVD Policy:** hxxps://cert[.]pl/en/cvd/