Summary
- INCIBE-CERT disclosed CVE-2026-10731, a critical SQL injection flaw in Nemon Trade Energy and Trade Energy CRM.
- The affected products support electricity and gas marketers, placing the issue inside energy-sector supplier assurance.
- INCIBE says the SaaS vulnerability was fully mitigated by Nemon and is no longer exploitable, with no evidence of exploitation or customer impact.
Spain’s INCIBE has disclosed a critical SQL injection vulnerability in specialist energy-sector software used by electricity and gas marketers, showing how operational exposure can sit inside narrow industry SaaS platforms rather than obvious critical infrastructure systems.
The advisory concerns CVE-2026-10731, a critical flaw affecting Nemon Trade Energy and Nemon Trade Energy CRM version 2.95.55. The products are part of Nemon’s software portfolio and are described by INCIBE as integrated management software, or ERP, for electricity and gas marketing companies.
INCIBE-CERT coordinated publication of the vulnerability after it was discovered by Adrià Alavedra Palacios. The flaw has a CVSS v4.0 base score of 9.3 and is classified as CWE-89, improper neutralisation of special elements used in an SQL command.
The vulnerability sat in the two_steps_auth_code parameter processed by the twoStepsAuthVerification function inside the /user-login endpoint. Because the two-factor authentication functionality could be accessed without prior authentication, an unauthenticated attacker could have executed arbitrary SQL queries against the backend database.
The potential impact described by the Spanish agency was broad. Successful exploitation could have enabled database enumeration, unauthorised creation of privileged users, modification or deletion of critical information, and denial-of-service conditions. In software supporting energy-sector commercial operations, customer records, billing workflows, and business administration, those outcomes would sit well beyond routine application security housekeeping.
Several factors limit the immediate exposure. INCIBE said the issue was fully mitigated by Nemon on 26 May 2026, with no customer action required because the affected products are provided as SaaS. The agency also said there is no evidence that the vulnerability was exploited, or that it had any impact on customers or data managed by the platform. The vulnerability has been corrected and is not currently exploitable.
The clean remediation record does not remove the supplier-risk signal. Energy-sector customers were not necessarily running vulnerable software on their own infrastructure; they depended on a specialist SaaS provider serving a regulated and strategically important market. In that model, customer assurance depends on the supplier’s secure development process, vulnerability disclosure handling, logging, remediation discipline, and ability to demonstrate that no data or privileged functions were abused before the fix.
European regulation is moving in the same direction. NIS2 raises expectations around supply chain security for essential and important entities, while sector regulators increasingly expect organisations to understand technology dependencies beyond headline cloud, telecoms, and outsourcing providers. Specialist ERP, billing, CRM, scheduling, and market-interface systems can become operationally important without appearing in traditional critical infrastructure diagrams.
Procurement and governance teams therefore need more than a supplier’s broad security claims. The useful questions are whether critical-sector organisations know which suppliers hold privileged access to sensitive workflows, whether those suppliers can evidence secure-by-design practices, and whether disclosure notices contain enough information for customers to assess retrospective exposure.
INCIBE’s advisory provides a useful public record: affected version, vulnerability type, severity, remediation date, exploitation status, and technical detail. That level of disclosure is becoming more valuable as European entities prepare for a regime in which vulnerability handling, supplier documentation, and incident reporting are treated as part of operational resilience.





