{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1198", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-01-19T14:01:03.414Z", "datePublished": "2026-02-26T11:27:18.585Z", "dateUpdated": "2026-02-26T14:27:02.779Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Simple.ERP", "vendor": "Simple SA", "versions": [{"lessThan": "6.30@A04.4_u06", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kamil D\u0105bkowski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in \"Obroty na kontach\" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.<br>This issue was fixed in 6.30@A04.4_u06."}], "value": "SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in \"Obroty na kontach\" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.\nThis issue was fixed in 6.30@A04.4_u06."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-02-26T11:27:18.585Z"}, "references": [{"tags": ["product"], "url": "https://simple.com.pl/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/02/CVE-2026-1198"}], "source": {"discovery": "EXTERNAL"}, "title": "SQL Injection in SIMPLE.ERP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:22:57.655661Z", "id": "CVE-2026-1198", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:27:02.779Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1198", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T14:22:57.655661Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:23:09.548Z"}}], "cna": {"title": "SQL Injection in SIMPLE.ERP", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kamil D\u0105bkowski"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Simple SA", "product": "Simple.ERP", "versions": [{"status": "affected", "version": "0", "lessThan": "6.30@A04.4_u06", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://simple.com.pl/", "tags": ["product"]}, {"url": "https://cert.pl/posts/2026/02/CVE-2026-1198", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in \"Obroty na kontach\" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.\nThis issue was fixed in 6.30@A04.4_u06.", "supportingMedia": [{"type": "text/html", "value": "SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in \"Obroty na kontach\" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.<br>This issue was fixed in 6.30@A04.4_u06.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-02-26T11:27:18.585Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1198", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:27:02.779Z", "dateReserved": "2026-01-19T14:01:03.414Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-02-26T11:27:18.585Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in \"Obroty na kontach\" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.\nThis issue was fixed in 6.30@A04.4_u06."}, {"lang": "es", "value": "SIMPLE.ERP es vulnerable a la inyecci\u00f3n SQL en la funcionalidad de b\u00fasqueda en la ventana 'Obroty na kontach'. La falta de validaci\u00f3n de entrada permite a un atacante autenticado preparar una consulta maliciosa a la base de datos que ser\u00e1 ejecutada.\nEste problema fue solucionado en 6.30@A04.4_u06."}], "id": "CVE-2026-1198", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-02-26T12:15:58.550", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2026/02/CVE-2026-1198"}, {"source": "cvd@cert.pl", "url": "https://simple.com.pl/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.30@A04.4_u06)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Simple.ERP", "source": "cna", "vendor": "Simple SA"}, "product": "simple.erp", "vendor": "simple_sa"}], "analysis": {"en": {"generated_at": "2026-04-17T14:24:28.492062+00:00", "value": {"mitigation_remediation": ["Upgrade Simple.ERP to version 6.30@A04.4_u06 or later to apply the vendor\u2011provided fix.", "Implement server\u2011side input validation for the \"Obroty na kontach\" search field to prevent malicious query construction.", "Restrict access to the \"Obroty na kontach\" feature or enforce least\u2011privilege database connections to limit potential data exposure."], "summary": {"action": "Apply Patch", "impact": "SQL Injection leading to unauthorized database access"}, "threat_synthesis": {"affected_systems": "The affected product is Simple.ERP from Simple SA. Versions prior to the 6.30@A04.4_u06 release are vulnerable; the issue was fixed in that specific build. The patch applies to all build versions preceding 6.30@A04.4_u06.", "description_and_impact": "The vulnerability is a lack of input validation in the search functionality of the \"Obroty na kontach\" window in Simple.ERP. An authenticated user can inject malicious SQL into the query, allowing the attacker to read or modify data in the database. The flaw is an example of CWE\u201189, a classic SQL injection weakness that compromises confidentiality, integrity, and potentially availability of the system\u2019s data.", "risk_and_exploitability": "The CVSS base score of 8.6 indicates high severity, while an EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability requires authentication, implying that the attacker must first gain valid credentials. Based on the description, it is inferred that an attacker would log into the system, navigate to the \"Obroty na kontach\" window and inject a crafted query. The limited EPSS suggests that this is not currently a high\u2011volume attack but remains a serious threat should credentials be compromised."}}}}, "created": "2026-02-27T09:07:36.679586+00:00", "updated": "2026-04-17T14:30:20.825563+00:00", "vendors": ["simple_sa", "simple_sa$PRODUCT$simple.erp"]}