CVE-2026-14809
PROG MIS · Prog Management System
The PROG Management System contains a SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL commands and access database contents.
Executive summary
A critical SQL injection vulnerability in the PROG Management System enables unauthenticated attackers to exfiltrate sensitive data from the underlying database.
Vulnerability
This is a classic CWE-89 SQL injection vulnerability. It allows an unauthenticated remote attacker to inject malicious SQL queries into the application, bypassing authentication and data access controls to retrieve unauthorized information.
Business impact
With a CVSS score of 7.5 (High), this vulnerability poses a severe risk to data confidentiality. Successful exploitation could lead to full database compromise, resulting in the unauthorized disclosure of sensitive business or user information, potentially leading to regulatory non-compliance and significant reputational damage.
Remediation
Immediate Action: Contact the vendor (PROG MIS) immediately to obtain the necessary security patch or remediation guidance as specified at https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html.
Proactive Monitoring: Review database access logs for anomalous query patterns, such as unexpected use of SQL keywords or high volumes of data retrieval requests.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict SQL injection protection rules to filter malicious traffic directed at the application.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is critical due to the ease of access for unauthenticated attackers. Organizations using this system must take immediate steps to isolate the application from public access until a vendor-supplied patch is successfully applied and verified.