Skip to main content

YunaiV CVE-2026-5148

| EUVDEUVD-2026-17216 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-30 cna@vuldb.com GHSA-mvcq-rxc9-9pvf
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
EUVD ID Assigned
Mar 30, 2026 - 20:22 euvd
EUVD-2026-17216
Analysis Generated
Mar 30, 2026 - 20:22 vuln.today
CVE Published
Mar 30, 2026 - 20:16 nvd
MEDIUM 5.1

DescriptionCVE.org

A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnerability affects unknown code of the file /admin-api/system/mail-log/page. This manipulation of the argument toMail causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the toMail parameter in the /admin-api/system/mail-log/page endpoint, enabling data exfiltration and potential database manipulation. The vulnerability carries a CVSS score of 5.1 with moderate confidentiality and integrity impact. Public exploit code is available, and the vendor has not responded to early disclosure efforts, leaving organizations dependent on self-patching or workarounds.

Technical ContextAI

The vulnerability is a SQL injection (CWE-74) affecting the yudao-cloud application framework, a cloud-native microservices platform. The flaw exists in the mail logging API endpoint (/admin-api/system/mail-log/page) where user-supplied input in the toMail parameter is insufficiently sanitized before being incorporated into database queries. SQL injection of this type typically occurs when dynamic SQL is constructed through string concatenation without parameterized queries or proper input validation, allowing attackers to break out of the intended query context and inject malicious SQL commands. The attack surface is the administrative API layer, which handles system mail log retrieval functionality.

RemediationAI

No vendor-released patch has been identified at time of analysis. Organizations should immediately implement the following defensive measures: (1) Restrict access to the /admin-api/system/mail-log/page endpoint to only trusted administrative networks using firewall or API gateway rules; (2) Audit administrative accounts and revoke unnecessary high-privilege credentials to minimize the attack surface; (3) Monitor database query logs for suspicious SQL patterns in mail-log-related queries; (4) Consider disabling or isolating the mail logging feature if not actively used. Contact YunaiV through alternative channels to request security updates. If the vendor remains unresponsive, evaluate migration to maintained alternatives or implement a Web Application Firewall (WAF) rule set to detect and block SQL injection payloads targeting the toMail parameter.

Share

CVE-2026-5148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy