CVE-2026-10731

Vulnerability

A SQL injection vulnerability exists in the two_steps_auth_code parameter processed by the twoStepsAuthVerification function within the /user-login endpoint of Nemon Trade Energy and Nemon Trade Energy CRM, version 2.95.55. This vulnerability allows access to the two-factor authentication functionality without prior authentication [1].

Exploitation

Unauthenticated attackers can exploit this vulnerability by sending a crafted request to the /user-login endpoint, targeting the two_steps_auth_code parameter. No specific user interaction or special privileges are required to trigger the vulnerability, as the 2FA functionality can be accessed directly [1].

Impact

Successful exploitation allows attackers to execute arbitrary SQL queries on the backend database. This can lead to database enumeration, the unauthorized creation of privileged users, modification or deletion of critical information, and denial-of-service conditions [1].

Mitigation

The vulnerability was fixed by the Nemon team on May 26, 2026, and is no longer exploitable. As this is a SaaS solution, the fix was applied centrally by Nemon, requiring no action from customers. There is no evidence that the vulnerability was exploited or had any impact on customers or data [1].