Date of Posting: 2026/07/17

【Vulnerability Alert】BPMero|HCM - SQL Injection

  • Subject: 【Vulnerability Alert】BPMero|HCM - SQL Injection


  • Description:
    • Forwarded from Taiwan Computer Emergency Response Team / Coordination Center Security Advisory TWCERTCC-200-202607-00000010
    • 【BPMero|HCM - SQL Injection 】(CVE-2026-15804, CVSS: 8.8) An SQL Injection vulnerability exists in HCM developed by BPMero. An authenticated remote attacker can inject SQL commands through specific parameters, affecting the confidentiality, integrity, and availability of database data.
  • Affected Platforms:
    • HCM versions 7 to 7.5.3 (exclusive), HCM versions 8 to 8.1.7.1 (exclusive)
  • Recommended Actions:
    • Please update to HCM version 7.5.3 (inclusive) or later, Please update to HCM version 8.1.7.1 (inclusive) or later
  • References:

Computer and Communication Center
Network System Division