Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Dromara MaxKey up to version 3.5.13 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the filtersfields argument in the StrUtils.checkSqlInjection function, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires low-privilege authentication and has publicly available exploit code; the vendor has not responded to early disclosure notifications.
Technical ContextAI
The vulnerability resides in the StrUtils.java file, specifically in the checkSqlInjection function which is responsible for validating user input to prevent SQL injection attacks. The flaw occurs because the filtersfields parameter is not properly sanitized or parameterized before being used in SQL queries, allowing an authenticated user to inject malicious SQL code. This is a classic SQL injection vulnerability (CWE-89) where insufficient input validation on a critical security function defeats the protection mechanism itself. The CPE indicates all versions of Dromara MaxKey up to 3.5.13 are affected.
RemediationAI
Immediate patching is recommended: upgrade Dromara MaxKey to a version released after 3.5.13 that addresses the SQL injection flaw in StrUtils.checkSqlInjection. Contact Dromara directly for patched release availability given the vendor's reported non-responsiveness to prior disclosure. As an interim compensating control, restrict network access to MaxKey administrative interfaces to trusted networks only, and implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in HTTP requests targeting the filtersfields parameter. Additionally, enforce strong authentication policies to minimize the number of low-privilege accounts with access to MaxKey, and implement database-level SQL injection protections such as prepared statements and parameterized queries where possible. Monitor database query logs for anomalous SQL patterns, particularly those containing UNION, SELECT, or comment sequences in filtersfields parameters. Note: WAF and logging controls mitigate exploitation but do not eliminate the vulnerability; patching remains the definitive remediation.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26837