CVE-2026-6887
Published: 23 April 2026
Summary
CVE-2026-6887 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6887, published on 2026-04-23, is a SQL injection vulnerability (CWE-89) affecting Borg SPM 2007, a software product developed by BorG Technology Corporation with sales ending in 2008. The flaw enables unauthenticated remote attackers to inject arbitrary SQL commands into the application, potentially compromising the underlying database.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation grants high-impact access to read, modify, and delete database contents, reflected in the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Advisories from TWCERT/CC detail the vulnerability and mitigation guidance at https://www.twcert.org.tw/en/cp-139-10863-2f48e-2.html and https://www.twcert.org.tw/tw/cp-132-10861-b8709-1.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25213
Vulnerability details
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a public-facing application enables exploitation of remote services (T1190) and data collection/modification from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection in Borg SPM 2007 by validating and sanitizing unauthenticated remote user inputs before database processing.
Requires timely identification, reporting, and correction of the specific SQL injection flaw (CVE-2026-6887) in Borg SPM 2007.
Prohibits use of unsupported system components like Borg SPM 2007, with sales ended in 2008, eliminating exposure to this vulnerability.