Which versions of Yu Picture are affected by CVE-2026-7060?

CVE-2026-7060 is a critical SQL injection vulnerability in Yu Picture's PageRequest handler that allows unauthenticated attackers to manipulate database queries and compromise confidentiality,…. A patch is available.

Is there a public PoC exploit available for CVE-2026-7060?

Yes, a public proof-of-concept exploit is available for CVE-2026-7060. Prioritise patching immediately. EPSS: 0.0%.

Yu Picture CVE-2026-7060

Q: What is the CVSS score of CVE-2026-7060?

CVE-2026-7060 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25730 MEDIUM

SQL Injection (CWE-89)

2026-04-26 VulDB

Java SQLi

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 26, 2026 - 22:22 NVD

HIGH MEDIUM

CVSS changed

Apr 26, 2026 - 22:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 26, 2026 - 21:00 vuln.today

EUVD ID Assigned

Apr 26, 2026 - 20:30 euvd

EUVD-2026-25730

Analysis Generated

Apr 26, 2026 - 20:30 vuln.today

Patch released

Apr 26, 2026 - 20:30 nvd

Patch available

CVE Published

Apr 26, 2026 - 20:15 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was determined in liyupi yu-picture up to a053632c41340152bf75b66b3c543d129123d8ec. This impacts the function PageRequest of the file yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java of the component MyBatis-Plus. Executing a manipulation of the argument sortField can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Applying a patch is advised to resolve this issue. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. …

RemediationAI

Within 24 hours: identify all instances of Yu Picture in production and development environments; verify current version against vulnerable commit a053632c41340152bf75b66b3c543d129123d8ec. Within 7 days: apply vendor patch from pull request #3 or upgrade to patched version once officially released; test in staging environment before production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7060 vulnerability details – vuln.today

Back

Yu Picture CVE-2026-7060

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Yu Picture CVE-2026-7060

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code