CVE-2026-25606

Vulnerability

The vulnerability affects STER, a computer system supporting occupational health and safety management developed by the Central Institute for Labour Protection – National Research Institute (CIOP-PIB). Improper neutralization of special elements used in an SQL command (CWE-89) exists in multiple Search Filters. An authenticated attacker can inject SQL queries through these filters, enabling access to sensitive data. All versions below 9.5 are vulnerable, with the fix released in STER version 9.5 [1] [2].

Exploitation

An attacker must be authenticated to the STER application. By crafting malicious input into the vulnerable search filter fields, the attacker submits a request that is not properly sanitized, allowing the injected SQL to be executed by the database backend. No additional privileges or race conditions are required beyond valid authentication [1].

Impact

Successful exploitation allows the attacker to view sensitive data belonging to other users, as well as any other data the application itself can access. This leads to unauthorized information disclosure, violating confidentiality. The attacker does not gain write or execution privileges beyond the database access level of the application's database user [1].

Mitigation

The vulnerability has been fixed in STER version 9.5, released on or before 22 May 2026. Users should upgrade to version 9.5 or later. No workarounds have been published in the available references [1] [2].