CVE-2026-1198

Vulnerability

Overview

CVE-2026-1198 is an SQL Injection vulnerability in the SIMPLE.ERP enterprise resource planning software. The flaw exists within the search functionality of the 'Obroty na kontach' (Account Transactions) window. Due to a lack of input validation, an attacker can inject malicious SQL commands through the search input field, which are then executed against the database backend [1][2].

Exploitation

Exploitation requires the attacker to be an authenticated user of SIMPLE.ERP. Once authenticated, no additional privileges are needed beyond standard search access—the attacker can craft a specially designed query in the search field. The system fails to properly neutralize special SQL elements, enabling the injection [1][2].

Impact

A successful attack allows the authenticated adversary to execute arbitrary SQL queries on the database. This could lead to unauthorized reading, modification, or deletion of data, including sensitive financial and personnel records. The attacker may also escalate privileges horizontally or vertically within the application, potentially compromising the entire ERP instance [1][2].

Mitigation

The vulnerability has been fixed in SIMPLE.ERP version 6.30@A04.4_u06. Users running any prior version are strongly advised to upgrade immediately. CERT Polska coordinated the disclosure process and acknowledges Kamil Dąbkowski for reporting the issue [2].