Refine your search
1 vulnerability found for KlinikaXP by BRI
CVE-2026-1958 (GCVE-0-2026-1958)
Vulnerability from cvelistv5
Published
2026-03-23 12:40
Modified
2026-03-23 15:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.
This issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1
Beside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BRI | KlinikaXP Insertino |
Version: 0 ≤ |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:17:46.045147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:51:31.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "KlinikaXP Insertino",
"vendor": "BRI",
"versions": [
{
"lessThan": "3.1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "KlinikaXP",
"vendor": "BRI",
"versions": [
{
"lessThan": "5.39.01.01",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wojciech Gie\u0142da"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application\u0027s update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.\u003cbr\u003e\u003cbr\u003eThis issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1\u003cbr\u003e\u003cbr\u003eBeside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts."
}
],
"value": "Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application\u0027s update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.\n\nThis issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1\n\nBeside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T12:40:12.895Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/03/CVE-2026-1958"
},
{
"tags": [
"product"
],
"url": "https://www.klinikaxp.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hard-coded passwords in KlinikaXP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-1958",
"datePublished": "2026-03-23T12:40:12.895Z",
"dateReserved": "2026-02-05T10:05:53.336Z",
"dateUpdated": "2026-03-23T15:51:31.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}