Skip to content
Threat Feed
critical advisory

CVE-2026-14808 — Prog Management System Sensitive Information Exposure

A critical vulnerability, CVE-2026-14808, in the Prog Management System developed by PROG MIS allows unauthenticated remote attackers to view a specific web page and obtain sensitive database account credentials, including the username and password, with high impact on confidentiality, integrity, and availability.

A critical vulnerability, tracked as CVE-2026-14808, has been identified in the Prog Management System developed by PROG MIS. This flaw, categorized as an Exposure of Sensitive Information (CWE-497), permits unauthenticated remote attackers to access a specific, unprotected web page within the system. By merely viewing this page, attackers can directly obtain the database account and password used by the application. This vulnerability presents a severe risk, as it grants attackers access to critical backend credentials, potentially leading to unauthorized access to the entire database and subsequent data compromise or system manipulation. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by TWCERT/CC, underscoring its severe implications for affected organizations.

Attack Chain

  1. An unauthenticated remote attacker identifies a publicly accessible instance of the vulnerable Prog Management System.
  2. The attacker sends a crafted HTTP GET request to a specific, unprotected web page within the application, which is known to expose sensitive system information.
  3. The vulnerable Prog Management System processes the request without enforcing proper authentication or authorization checks for this particular page.
  4. The system responds to the attacker's request, and the HTTP response body contains the plaintext database account username and password.
  5. The attacker parses the HTTP response to extract the sensitive database credentials.
  6. With the obtained database account and password, the attacker gains unauthorized administrative access to the underlying database.
  7. The attacker can then perform various malicious actions, including data exfiltration, modification, or deletion, depending on the privileges of the compromised database account.

Impact

Successful exploitation of CVE-2026-14808 results in the direct compromise of the application's database credentials. This allows unauthenticated attackers to gain full access to the backend database, potentially leading to widespread data breaches, data manipulation, or denial of service. The impact includes the compromise of sensitive organizational data, customer information, and critical operational data. While specific victim counts are not available, any organization utilizing the affected Prog Management System versions by PROG MIS is at risk. Such a compromise can lead to significant financial losses, reputational damage, and regulatory penalties.

Recommendation

  • Immediately apply the security update released by PROG MIS for CVE-2026-14808 to all instances of the Prog Management System.
  • Review web server access logs for requests to unusual or sensitive paths that respond with database credentials, and tune existing webserver monitoring rules.
  • Implement strong database credential management practices, including least privilege, regular rotation, and secure storage, separate from application code, even after patching CVE-2026-14808.
  • Monitor all database access logs for unusual activity or access patterns originating from the application's account following the remediation of CVE-2026-14808.

Indicators of compromise

2

url

TypeValue
urlhttps://www.twcert.org.tw/en/cp-139-11026-3df18-2.html
urlhttps://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html