Which versions of Jinher OA are affected by CVE-2026-11435?

Jinher OA 1.0 contains an unauthenticated SQL injection vulnerability in the nextselectplan.aspx endpoint that allows remote attackers to directly execute arbitrary SQL statements against the…

Is there a public PoC exploit available for CVE-2026-11435?

Yes, a public proof-of-concept exploit is available for CVE-2026-11435. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-11435?

24 hours: Execute asset inventory for all Jinher OA 1.0 instances; remove internet-facing deployments or isolate behind network controls. 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns on the httpOID parameter of nextselectplan.aspx; enable SQL query logging with real-time alerting on anomalous database activity. 30 days: Verify upgrade path to patched Jinher OA version if available; if no vendor patch path exists, initiate procurement and migration to alternative groupware solution to eliminate exposure.

Jinher OA CVE-2026-11435

Q: What is the CVSS score of CVE-2026-11435?

CVE-2026-11435 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-34970 MEDIUM

SQL Injection (CWE-89)

2026-06-06 VulDB

GHSA-xhq4-92wj-h688

SQLi Oa

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 06, 2026 - 16:22 NVD

HIGH MEDIUM

CVSS changed

Jun 06, 2026 - 16:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

Jun 06, 2026 - 16:00 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to manipulate the httpOID parameter of nextselectplan.aspx to inject arbitrary SQL statements. Publicly available exploit code exists per VulDB disclosure, and the vendor did not respond to coordinated disclosure attempts, increasing the window of exposure. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed Jinher OA instance

Delivery

Send crafted HTTP request to nextselectplan.aspx

Exploit

Inject SQL payload via httpOID parameter

Execution

Database executes attacker-controlled query

Impact

Exfiltrate or modify database records