VYPR
← All advisories
High severityNVD Advisory· Published Oct 21, 2025· Updated Apr 15, 2026

CVE-2025-9339

CVE-2025-9339

Description

SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit.

This issue affects SIMPLE.ERP in versions before 6.30@a04.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in SIMPLE.ERP warehouse document filtering form allows authenticated users to delete tables with up to 6-character names, but data exfiltration is limited by a 20-character input constraint.

Vulnerability

Details

The vulnerability is a SQL injection (CWE-89) in the warehouse document filtering form fields of SIMPLE.ERP. The software fails to properly neutralize special elements used in SQL commands, allowing a logged-in user to inject malicious queries [2].

Exploitation

An attacker must be authenticated to the system. Input fields in the filtering form have a 20-character limit, which restricts the payload size. The identified exploit scenario allows the deletion of database tables whose names are at most 6 characters long, as longer table names would exceed the character limit [2].

Impact

Successful exploitation can lead to deletion of database tables, potentially causing data loss or service disruption. However, the researchers could not find a way to exfiltrate data within the character limit [2].

Mitigation

The issue affects SIMPLE.ERP versions before 6.30@a04.3. The vendor has released a patched version that addresses the vulnerability. Users are advised to update to the latest version [2].

References
  1. Vulnerability in SIMPLE.ERP software

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.