CVE-2026-10731 PUBLISHED

SQL injection in Nemon products

Assigner: INCIBE
Reserved: 03.06.2026 Published: 09.06.2026 Updated: 09.06.2026

SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Nemon
Product	Nemon Trade Energy
Versions	Default: unaffected Version 2.95.55 is affected

Vendor	Nemon
Product	Nemon Trade Energy CRM
Versions	Default: unaffected Version 2.95.55 is affected

Solutions

The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable.

Credits

Adrià Alavedra Palacios finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-nemon-products

Problem Types

CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') CWE