CVE-2026-7489:

CVE-2026-7489 is a SQL Injection vulnerability in Sunnet's CTMS application that allows authenticated remote attackers to execute arbitrary SQL commands, enabling unauthorized read, modification, and deletion of database contents.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.8High

Published Date:May 2, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:23%

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

CTMS, developed by Sunnet, contains a SQL Injection vulnerability (CWE-89) that can be exploited by authenticated remote attackers. By injecting malicious SQL commands into the application, an attacker with low-privilege credentials can read, alter, and destroy data within the database. No user interaction is required and attack complexity is low, significantly elevating the risk posed by this vulnerability. The CVSS v3.1 score of 8.8 reflects the high impact across confidentiality, integrity, and availability dimensions of the affected system.

Remediation

Users and administrators of Sunnet's CTMS should apply any patches or updates provided by Sunnet in response to this vulnerability immediately. Input validation and parameterized queries (prepared statements) should be enforced within the application to prevent SQL injection. Access to the CTMS application should be restricted to only authorized and necessary personnel, limiting the potential attacker pool. Network-level controls such as web application firewalls (WAF) should be considered as a defense-in-depth measure. Organizations should monitor database activity logs for any anomalous query patterns indicative of exploitation attempts. Contact Sunnet or consult the Taiwan CERT advisories for specific patch availability and guidance.