Date of Posting: 2026/07/17
【Vulnerability Alert】BPMero|HCM - SQL Injection
- Subject: 【Vulnerability Alert】BPMero|HCM - SQL Injection
- Description:
- Forwarded from Taiwan Computer Emergency Response Team / Coordination Center Security Advisory TWCERTCC-200-202607-00000010
- 【BPMero|HCM - SQL Injection 】(CVE-2026-15804, CVSS: 8.8) An SQL Injection vulnerability exists in HCM developed by BPMero. An authenticated remote attacker can inject SQL commands through specific parameters, affecting the confidentiality, integrity, and availability of database data.
- Affected Platforms:
- HCM versions 7 to 7.5.3 (exclusive), HCM versions 8 to 8.1.7.1 (exclusive)
- Recommended Actions:
- Please update to HCM version 7.5.3 (inclusive) or later, Please update to HCM version 8.1.7.1 (inclusive) or later
- References:
Computer and Communication Center
Network System Division