Skip to main content

H3C SecPath F1000-C8300 CVE-2026-15907

| EUVDEUVD-2026-44837 MEDIUM
SQL Injection (CWE-89)
2026-07-15 VulDB GHSA-5v3j-c5fm-2mm6
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-reachable WebUI endpoint requires no authentication (PR:N), no complexity; low-level CIA impact consistent with SQL injection on an appliance management database.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 16, 2026 - 00:29 vuln.today
CVSS changed
Jul 16, 2026 - 00:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
CVE Published
Jul 15, 2026 - 23:45 cve.org
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in H3C SecPath F1000-C8300 up to 20260522. This impacts an unknown function of the file /webui/?g=log_fw_nbc_mail_jsondata. Executing a manipulation of the argument subject can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

AnalysisAI

SQL injection in H3C SecPath F1000-C8300 (firmware up to 20260522) allows unauthenticated remote attackers to manipulate database queries via the subject parameter in the /webui/?g=log_fw_nbc_mail_jsondata web management endpoint. The vendor has confirmed the vulnerability and acknowledged a planned fix, but no patch is released as of the disclosure date. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach WebUI management interface
Delivery
Send crafted HTTP request to /webui/?g=log_fw_nbc_mail_jsondata
Exploit
Inject SQL payload via subject parameter
Execution
Execute unsanitized query against backend database
Impact
Exfiltrate or manipulate database contents

Vulnerability AssessmentAI

Exploitation The H3C SecPath F1000-C8300 web management interface (WebUI) must be network-accessible to the attacker - this is the sole prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.5 (Medium) reflects low-level confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L), consistent with SQL injection that exposes or manipulates internal database records rather than achieving full remote code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker with network access to the H3C SecPath F1000-C8300 management interface sends a crafted HTTP GET or POST request to `/webui/?g=log_fw_nbc_mail_jsondata` with a maliciously constructed `subject` parameter containing SQL metacharacters (e.g., `' OR 1=1--`). The backend query executes without sanitization, allowing the attacker to extract internal database records such as firewall configuration data, user credentials, or log entries. …
Remediation No vendor-released patch has been identified at time of analysis; H3C has confirmed the vulnerability and stated that a technical fix is planned for future release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy