SQL Injection Vulnerability in SIMPLE.ERP Software by SIMPLE
CVE-2025-9339

7.1HIGH

Key Information:

Vendor: Simple Sa
Status: Simple.erp
Vendor: CVE Published:; 21 October 2025

What is CVE-2025-9339?

An SQL injection vulnerability has been identified in the warehouse document filtering form of SIMPLE.ERP software. This flaw enables logged-in users to submit a payload of up to 20 characters, allowing significant actions such as the deletion of database tables with names limited to a maximum of 6 characters. Although exploitation does not seem to extend to data exfiltration due to the query character limit, the potential for destructive actions raises serious concerns about data integrity and security within the application.

Affected Version(s)

SIMPLE.ERP 0 < [email protected]

References

https://cert.pl/en/posts/2025/10/CVE-2025-9339/

third-party-advisory

https://simple.com.pl/

product

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 21, 2025
Vulnerability Reserved
Aug 22, 2025

Credit

Kamil Dąbkowski

JSON

Simple Sa

What is CVE-2025-9339?

Affected Version(s)

References

CVSS V4

Timeline

Credit