CVE-2026-11453: Tiobon Employee Self-Service System Login Endpoint BlogSearch.aspx sql injection

Published Jun 7, 2026
·
Updated

A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

1 affected component
Tiobon Tiobon Employee Self-Service System<=7.2

Remediation

Recommended actions to resolve this vulnerability, in priority order.

  1. Remove

    Remove Tiobon Employee Self-Service System - Blog module from your environment.

    If the blog/search functionality is not required, uninstall or remove the Blog module (including /Blog/BlogSearch.aspx) to eliminate the vulnerable code path.

  2. Configuration

    Disable or block access to the /Blog/BlogSearch.aspx endpoint (BlogSearch) until a vendor patch or code fix is applied.

    Tiobon Employee Self-Service System - /Blog/BlogSearch.aspx (Login Endpoint) endpoint_enabled = false
  3. Configuration

    Modify the BlogSearch.aspx handling of the 'Keyword' parameter to prevent SQL injection: implement strict input validation and use parameterized queries or stored procedures instead of concatenating SQL.

    Tiobon Employee Self-Service System - /Blog/BlogSearch.aspx (Login Endpoint) Keyword parameter input handling = sanitize/parameterize
  4. Compensating control

    Deploy WAF rules or web server access controls to block or rate-limit requests to /Blog/BlogSearch.aspx and to detect/block SQL injection payloads; restrict access to the endpoint to trusted IPs where feasible.

  5. Operational

    Monitor web and application logs for exploitation attempts targeting /Blog/BlogSearch.aspx and the 'Keyword' parameter; if compromise is suspected, perform incident response steps including forensic investigation, rotate potentially exposed credentials, and restore affected services from known-good backups.

Event History

Jun 7, 2026
CVE Published
via MITRE·03:45 AM
Data Sourced
via MITRE·03:45 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 AM
DescriptionSeverityWeakness
Aug 5, 58401
Event
via NVD·09:53 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2026-11453?

CVE-2026-11453 is a SQL injection vulnerability found in the BlogSearch.aspx endpoint of Tiobon Employee Self-Service System up to version 7.2.

2

What is the severity of CVE-2026-11453?

The severity of CVE-2026-11453 is rated as medium with a CVSS score of 6.3.

3

How do I fix CVE-2026-11453?

To fix CVE-2026-11453, it's recommended to upgrade the Tiobon Employee Self-Service System to the latest version that has addressed this vulnerability.

4

What can attackers do with CVE-2026-11453?

Attackers can exploit CVE-2026-11453 to manipulate the Keyword argument in BlogSearch.aspx, potentially allowing them to execute SQL injection attacks.

5

How can I determine if my system is affected by CVE-2026-11453?

If you are using Tiobon Employee Self-Service System version 7.2 or earlier, your system may be vulnerable to CVE-2026-11453.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203