CVE-2026-2094

High

Published: 10 February 2026

Published

10 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Docpedia developed by Flowring has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection vulnerabilities like CVE-2026-2094 by validating and sanitizing user inputs before they are incorporated into database queries.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific SQL injection flaw in Docpedia to eliminate the vulnerability.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls or similar can filter and block SQL injection payloads targeting this authenticated remote vulnerability.

Security SummaryAI

CVE-2026-2094 is a SQL injection vulnerability (CWE-89) in Docpedia, a product developed by Flowring. Published on 2026-02-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability. The flaw enables authenticated remote attackers to inject arbitrary SQL commands, allowing them to read, modify, and delete database contents.

Attackers with low-privilege authenticated access can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-level control over the underlying database, potentially leading to unauthorized data exfiltration, alteration of records, or deletion of critical information, compromising the entire application's data integrity.

Mitigation details are outlined in advisories from TWCERT/CC, available at https://www.twcert.org.tw/en/cp-139-10698-1ab75-2.html and https://www.twcert.org.tw/tw/cp-132-10697-6a30b-1.html. Security practitioners should consult these references for specific patch information, workaround guidance, or upgrade recommendations from the vendor.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection enables exploitation of public-facing web applications (T1190), data collection from databases (T1213.006), and stored data manipulation (T1565.001) via arbitrary SQL commands for reading, modifying, and deleting database contents.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.twcert.org.tw/en/cp-139-10698-1ab75-2.html
twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-10697-6a30b-1.html
twcert@cert.org.tw