TWCERT/CC Discloses Critical Injection Flaws in NewSoftOA and Sunnet CTMS
TWCERT/CC published advisories for two high-severity enterprise software vulnerabilities that could let attackers compromise backend systems and data. CVE-2026-5965 affects NewSoftOA from NewSoft and is an OS command injection flaw (CWE-78) that allows unauthenticated remote attackers to execute arbitrary operating system commands on the server. The issue carries a CVSS v3.1 score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating low-complexity network exploitation with high impact across confidentiality, integrity, and availability.
A second advisory, CVE-2026-7489, affects Sunnet CTMS and describes a SQL injection vulnerability (CWE-89) that allows authenticated remote attackers to run arbitrary SQL commands against the application database. Successful exploitation could enable reading, modifying, and deleting database contents, with a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Both vulnerabilities were published with English and Chinese references by TWCERT/CC, underscoring continued exposure in internet-reachable business applications to injection attacks that can lead to full server compromise or severe database manipulation.
Timeline
May 2, 2026
TWCERT/CC receives CVE-2026-7489 for CTMS SQL injection
TWCERT/CC received CVE-2026-7489 on May 2, 2026 for a SQL injection vulnerability in Sunnet CTMS. The issue allows authenticated remote attackers to inject arbitrary SQL commands and potentially read, modify, or delete database contents; it was classified as CWE-89 with high-severity CVSS ratings.
Apr 21, 2026
TWCERT/CC receives CVE-2026-5965 for NewSoftOA command injection
TWCERT/CC received CVE-2026-5965 on April 21, 2026 for an OS command injection vulnerability in NewSoftOA by NewSoft. The flaw allows unauthenticated attackers to execute arbitrary operating system commands on the server and was classified as CWE-78 with high-severity CVSS ratings.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
TWCERT discloses unauthenticated flaws in Openfind MailGates and Digiwin EasyFlow .NET
TWCERT published two high-severity vulnerability entries affecting enterprise software from Taiwanese vendors. **Openfind MailGates/MailAudit** is affected by `CVE-2026-6351`, a `CWE-93` **CRLF injection** flaw that can be exploited by an unauthenticated remote attacker to read system files, creating a significant confidentiality risk. The issue was documented with CVSS v3.1 and v4.0 scoring and linked to TWCERT advisory references. TWCERT also disclosed `CVE-2026-5964` in **Digiwin EasyFlow .NET**, a `CWE-89` **SQL injection** vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL commands. Successful exploitation could let attackers read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Both disclosures highlight externally reachable attack paths requiring no authentication and raise immediate patching and exposure-review concerns for organizations using the affected products.
1 weeks ago
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago