Overview
CVE-2026-6887 is a critical SQL injection vulnerability in Borg SPM 2007, a sales performance management application by BorG Technology Corporation that reached end-of-sale in 2008. The vulnerability permits unauthenticated remote attackers to inject arbitrary SQL commands into database queries, enabling complete read, modify, and delete access to all database contents — including sensitive business, employee, and financial records.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6887 |
| CVSS Score | 9.8 (Critical) |
| Vendor | BorG Technology Corporation |
| Product | Borg SPM 2007 |
| EOL Date | 2008 (sales ended) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-23 |
Technical Details
SQL injection vulnerabilities occur when user-supplied input is incorporated into database queries without proper sanitization or parameterization. In Borg SPM 2007, the injection point is accessible without authentication, meaning attackers do not need valid credentials to begin exploiting the application's backend database.
Through SQL injection, an attacker can:
- Read all data stored in the database (user credentials, sales records, personal information)
- Modify any database record — altering figures, changing account details, or corrupting data
- Delete database contents — enabling destructive data wipeout attacks
- Potentially escalate to operating system command execution on database servers running extended stored procedures (such as
xp_cmdshellon Microsoft SQL Server)
Common Attack Scenarios
- Credential harvesting: Extract all user password hashes from the database for offline cracking
- Data exfiltration: Dump the entire database contents to a remote-controlled endpoint
- Data tampering: Modify sales records, financial figures, or user permissions
- Account creation: Insert new administrative accounts to maintain persistent access
- Database destruction: Delete critical tables or the entire database schema
Relationship to Other CVEs
This vulnerability is one of three critical flaws disclosed simultaneously in Borg SPM 2007:
- CVE-2026-6885 — Arbitrary file upload enabling web shell deployment (CVSS 9.8)
- CVE-2026-6886 — Authentication bypass enabling impersonation of any user (CVSS 9.8)
These three vulnerabilities together represent a complete application compromise scenario — any one of them alone is sufficient for catastrophic impact.
Risk Assessment
Pre-authentication SQL injection is one of the most severe vulnerability classes. The absence of any authentication gate means any attacker with network access to port 80/443 can extract, modify, or destroy all application data. With no patch available from the vendor, this is an unmitigable risk if the software remains running.
Remediation
No patch is available or expected. BorG Technology Corporation ended sales in 2008 with no ongoing security support.
Recommended actions:
- Immediately decommission any Borg SPM 2007 instances
- If decommissioning is not immediately possible, isolate the application from all untrusted networks using firewall rules
- Treat all data in the application database as potentially compromised and notify affected individuals if personal data may have been exfiltrated
- Implement a WAF rule blocking common SQL injection patterns as a temporary control only — not a substitute for decommissioning
- Migrate to a supported, actively maintained alternative platform