A critical hard-coded credentials flaw in PROG MIS's ERP App lets unauthenticated remote attackers log in, read application code, and retrieve the database account and password.
What Is It
CVE-2026-14807 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the ERP App developed by PROG MIS. According to the NVD record, the embedded credentials allow unauthenticated remote attackers to log in to the application, view its code, and obtain the database account and password. The issue was published on 2026-07-06 and reported by TWCERT/CC ([email protected]).
It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A secondary CVSS 4.0 score of 9.3 (CRITICAL) is also assigned.
Why It Matters
The flaw is network-exploitable with low attack complexity and requires no privileges or user interaction. Because the hard-coded credentials grant direct application access and expose database credentials, an attacker can reach the backing database; placing confidentiality, integrity, and availability all at high impact. In an ERP context, that database typically holds financial, operational, and personnel data, making full compromise a realistic outcome.
Note: No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.
What's Vulnerable
- Vendor: PROG MIS
- Product: ERP App
- Affected versions: All versions (per the TWCERT-supplied affected data)
Patch Status
The supplied NVD record (vulnStatus: "Received") does not include specific patch or remediation instructions. Refer to the TWCERT/CC advisories listed below for vendor guidance and required actions.
Sources
- NVD, CVE-2026-14807: https://nvd.nist.gov/vuln/detail/CVE-2026-14807
- TWCERT/CC Advisory (EN): https://www.twcert.org.tw/en/cp-139-11024-c5c1a-2.html
- TWCERT/CC Advisory (TW): https://www.twcert.org.tw/tw/cp-132-11023-3abe8-1.html