SYS::ONLINE
Wasteland.
Briefs1108
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-14807 2026-07-06

CVE-2026-14807: Hard-Coded Credentials in PROG MIS ERP App Expose Database Access

"A critical hard-coded credentials flaw in PROG MIS's ERP App lets unauthenticated remote attackers log in, read application code, and retrieve the database account and password."

A critical hard-coded credentials flaw in PROG MIS's ERP App lets unauthenticated remote attackers log in, read application code, and retrieve the database account and password.

What Is It

CVE-2026-14807 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the ERP App developed by PROG MIS. According to the NVD record, the embedded credentials allow unauthenticated remote attackers to log in to the application, view its code, and obtain the database account and password. The issue was published on 2026-07-06 and reported by TWCERT/CC ([email protected]).

It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A secondary CVSS 4.0 score of 9.3 (CRITICAL) is also assigned.

Why It Matters

The flaw is network-exploitable with low attack complexity and requires no privileges or user interaction. Because the hard-coded credentials grant direct application access and expose database credentials, an attacker can reach the backing database; placing confidentiality, integrity, and availability all at high impact. In an ERP context, that database typically holds financial, operational, and personnel data, making full compromise a realistic outcome.

Note: No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.

What's Vulnerable

Patch Status

The supplied NVD record (vulnStatus: "Received") does not include specific patch or remediation instructions. Refer to the TWCERT/CC advisories listed below for vendor guidance and required actions.

Sources