CVE-2026-10731 (GCVE-0-2026-10731)

Vulnerability from cvelistv5 – Published: 2026-06-09 08:57 – Updated: 2026-06-09 14:12
VLAI
Title
SQL injection in Nemon products
Summary
SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.
Severity
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
Impacted products
Date Public
2026-06-08 10:00
Credits
Adrià Alavedra Palacios
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10731",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T14:12:14.243664Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T14:12:27.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Nemon Trade Energy",
          "vendor": "Nemon",
          "versions": [
            {
              "status": "affected",
              "version": "2.95.55"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Nemon Trade Energy CRM",
          "vendor": "Nemon",
          "versions": [
            {
              "status": "affected",
              "version": "2.95.55"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Adri\u00e0 Alavedra Palacios"
        }
      ],
      "datePublic": "2026-06-08T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SQL injection in the \u2018two_steps_auth_code\u2019 parameter processed by the \u2018twoStepsAuthVerification\u2019 function within the \u2018/user-login\u2019 endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions."
            }
          ],
          "value": "SQL injection in the \u2018two_steps_auth_code\u2019 parameter processed by the \u2018twoStepsAuthVerification\u2019 function within the \u2018/user-login\u2019 endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T08:57:54.739Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable."
            }
          ],
          "value": "The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SQL injection in Nemon products",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2026-10731",
    "datePublished": "2026-06-09T08:57:54.739Z",
    "dateReserved": "2026-06-03T10:39:45.727Z",
    "dateUpdated": "2026-06-09T14:12:27.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-10731",
      "date": "2026-06-14",
      "epss": "0.00149",
      "percentile": "0.35379"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-10731\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2026-06-09T10:16:42.820\",\"lastModified\":\"2026-06-09T13:51:18.770\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SQL injection in the \u2018two_steps_auth_code\u2019 parameter processed by the \u2018twoStepsAuthVerification\u2019 function within the \u2018/user-login\u2019 endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products\",\"source\":\"cve-coordination@incibe.es\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-10731\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T14:12:14.243664Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T14:12:22.013Z\"}}], \"cna\": {\"title\": \"SQL injection in Nemon products\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Adri\\u00e0 Alavedra Palacios\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Nemon\", \"product\": \"Nemon Trade Energy\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.95.55\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Nemon\", \"product\": \"Nemon Trade Energy CRM\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.95.55\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable.\", \"base64\": false}]}], \"datePublic\": \"2026-06-08T10:00:00.000Z\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SQL injection in the \\u2018two_steps_auth_code\\u2019 parameter processed by the \\u2018twoStepsAuthVerification\\u2019 function within the \\u2018/user-login\\u2019 endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"SQL injection in the \\u2018two_steps_auth_code\\u2019 parameter processed by the \\u2018twoStepsAuthVerification\\u2019 function within the \\u2018/user-login\\u2019 endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2026-06-09T08:57:54.739Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-10731\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-09T14:12:27.775Z\", \"dateReserved\": \"2026-06-03T10:39:45.727Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2026-06-09T08:57:54.739Z\", \"assignerShortName\": \"INCIBE\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.