Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Tools
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in STER software
22 May 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2026-25606
Publication date 22 May 2026
Vendor Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product STER
Vulnerable versions All before 9.5
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source Report to CERT Polska
CVE ID CVE-2026-25607
Publication date 22 May 2026
Vendor Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product STER
Vulnerable versions All before 9.5
Vulnerability type (CWE) Weak Encoding for Password (CWE-261)
Report source Report to CERT Polska
CVE ID CVE-2026-25608
Publication date 22 May 2026
Vendor Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product STER
Vulnerable versions All before 9.5
Vulnerability type (CWE) Cleartext Transmission of Sensitive Information (CWE-319)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in STER software and participated in coordination of their disclosure.

The vulnerability CVE-2026-25606: A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access

The vulnerability CVE-2026-25607: Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.

The vulnerability CVE-2026-25608: STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens.

These issues were fixed in version 9.5.

Credits

We thank Michelin CERT for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.