An unauthenticated attacker can retrieve database account credentials from an exposed page in PROG MIS's Prog Management System, a flaw rated CVSS 9.8 (Critical).
What Is It
CVE-2026-14808 is an Exposure of Sensitive Information vulnerability (CWE-497) in the Prog Management System developed by PROG MIS. According to the vulnerability record, unauthenticated remote attackers can view a specific page and obtain the database account and password. The issue was published on 2026-07-06 and reported by TWCERT/CC.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (Critical), with a CVSS 4.0 score of 9.3. The attack vector is network-based, requires low attack complexity, and needs no privileges or user interaction. Its impact is rated High for confidentiality, integrity, and availability. Because the exposed data is a database account and password, an attacker who reaches the vulnerable page gains direct credentials that could enable broader access to the backing database. No user interaction or authentication is required, lowering the barrier to exploitation.
What's Vulnerable
The affected product is the Prog Management System from vendor PROG MIS. The vulnerability record lists the affected version as "all," indicating every version of the product is impacted.
Patch Status
The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation in the wild from KEV data. The NVD record status is "Received" and does not specify a fixed version or a formal remediation action. Refer to the TWCERT/CC advisories below for vendor guidance and any available fix information.
Sources
- NVD, CVE-2026-14808: https://nvd.nist.gov/vuln/detail/CVE-2026-14808
- TWCERT/CC Advisory (EN): https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html
- TWCERT/CC Advisory (TW): https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html