SQL injection in Nemon products
Nemon Trade Energy and Nemon Trade Energy CRM, version 2.95.55.
INCIBE has coordinated the publication of a critical-severity vulnerability affecting Nemon’s Trade Energy and Trade Energy CRM, an integrated management (ERP) software suite for electricity and gas suppliers. The vulnerability was discovered by Adrià Alavedra Palacios.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-10731: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
The reported vulnerability was fully mitigated by the Nemon team on 26 May 2026. There is no evidence that the vulnerability was exploited, nor that it had any impact on customers or data managed by the platform. As this is a SaaS solution, the fix was applied centrally by Nemon, without requiring any action on the part of customers. The vulnerability has been fixed and is no longer exploitable.
CVE-2026-10731: SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-10731 | Crítica | No | Nemon |
