Home

Description

Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1 Beside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts.

PUBLISHED Reserved 2026-02-05 | Published 2026-03-23 | Updated 2026-03-23 | Assigner CERT-PL




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unaffected

Any version before 3.1.0.1
affected

Default status
unaffected

Any version before 5.39.01.01
affected

Credits

Wojciech Giełda finder

References

cert.pl/posts/2026/03/CVE-2026-1958 third-party-advisory

www.klinikaxp.pl/ product

cve.org (CVE-2026-1958)

nvd.nist.gov (CVE-2026-1958)

Download JSON