🔐 CVE Alert

CVE-2026-10731

UNKNOWN 0.0

SQL injection in Nemon products

CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
29th

SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.

CWE CWE-89
Vendor nemon
Product nemon trade energy
Published Jun 9, 2026
Last Updated Jun 9, 2026
Stay Ahead of the Next One

Get instant alerts for nemon nemon trade energy

Be the first to know when new unknown vulnerabilities affecting nemon nemon trade energy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Nemon / Nemon Trade Energy
2.95.55
Nemon / Nemon Trade Energy CRM
2.95.55

References

NVD ↗ CVE.org ↗ EPSS Data ↗
incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products

Credits

Adrià Alavedra Palacios