CVE-2026-6833 - Vulnerability Details - OpenCVE

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Aenrich	A+hrd

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Aenrich	A+hrd

References

Link	Providers
https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html
https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html

History

Wed, 22 Apr 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aenrich Aenrich a+hrd
Vendors & Products		Aenrich Aenrich a+hrd

Wed, 22 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Title		aEnrich｜a+HRD - SQL Injection
Weaknesses		CWE-89
References		https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2026-04-22T03:32:28.659Z

Updated: 2026-04-22T03:32:48.200Z

Reserved: 2026-04-22T02:48:33.880Z

Link: CVE-2026-6833

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T04:16:07.303

Modified: 2026-04-22T04:16:07.303

Link: CVE-2026-6833

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6833", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2026-04-22T02:48:33.880Z", "datePublished": "2026-04-22T03:32:28.659Z", "dateUpdated": "2026-04-22T03:32:48.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2026-04-22T03:32:48.200Z"}, "title": "aEnrich\uff5ca+HRD - SQL Injection", "datePublic": "2026-04-22T03:32:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "affected": [{"vendor": "aEnrich", "product": "a+HRD", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "7.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html", "tags": ["third-party-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Please refer to the aEnrich advisory to upgrade to version 6.8 or later and install the latest patches, or contact aEnrich customer service for assistance."}]}], "source": {"advisory": "TVN-202604004", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."}], "id": "CVE-2026-6833", "lastModified": "2026-04-22T04:16:07.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "twcert@cert.org.tw", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2026-04-22T04:16:07.303", "references": [{"source": "twcert@cert.org.tw", "url": "https://www.twcert.org.tw/en/cp-139-10834-eb3ee-2.html"}, {"source": "twcert@cert.org.tw", "url": "https://www.twcert.org.tw/tw/cp-132-10833-e3a53-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "a+HRD", "source": "cna", "vendor": "aEnrich"}, "product": "a+hrd", "vendor": "aenrich"}], "analysis": {"en": {"generated_at": "2026-04-22T06:08:02.056808+00:00", "value": {"mitigation_remediation": ["Upgrade a+HRD to version 6.8 or later and apply the latest patches as recommended by aEnrich.", "Reconfigure the database account used by a+HRD to grant only the minimum privileges required, avoiding discretionary SELECT permissions on non\u2011critical tables.", "Validate all user-supplied input in the application or use parameterized queries so that data cannot form part of executable SQL."], "summary": {"action": "Immediate Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "All installations of a+HRD by aEnrich are vulnerable; the advisory recommends upgrading to version 6.8 or later and applying the latest patches. No specific version range is listed beyond that requirement, so unsupported or older deployments remain at risk.", "description_and_impact": "The a+HRD application developed by aEnrich contains a SQL Injection flaw that allows authenticated remote attackers to inject arbitrary SQL commands, enabling the extraction of database contents. This vulnerability compromises the confidentiality of sensitive data stored by the application. Although the attack requires prior authentication, the attacker can potentially read, modify, or delete information, thereby exposing business logic secrets and customer data.", "risk_and_exploitability": "The CVSS score of 7.1 classifies this issue as high severity. Because the vulnerability is only exploitable by authenticated users, the exploitation likelihood depends on the attacker\u2019s ability to gain valid credentials. No EPSS score is available and the vulnerability is not currently listed in the CISA KEV catalog, indicating no known widespread exploitation at this time. The primary attack vector is an authenticated remote request to the application that submits malicious SQL payloads."}}}}, "created": "2026-04-22T05:30:09.352127+00:00", "updated": "2026-04-22T06:15:10.411864+00:00", "vendors": ["aenrich", "aenrich$PRODUCT$a+hrd"]}