Skip to main content

Dromara MaxKey CVE-2026-7699

| EUVDEUVD-2026-26837 LOW
SQL Injection (CWE-89)
2026-05-03 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 03, 2026 - 15:22 NVD
MEDIUM LOW
CVSS changed
May 03, 2026 - 15:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 03, 2026 - 15:15 vuln.today
Public exploit code
Analysis Generated
May 03, 2026 - 14:45 vuln.today
EUVD ID Assigned
May 03, 2026 - 14:30 euvd
EUVD-2026-26837
Analysis Generated
May 03, 2026 - 14:30 vuln.today
CVE Published
May 03, 2026 - 14:00 nvd
LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Dromara MaxKey up to version 3.5.13 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the filtersfields argument in the StrUtils.checkSqlInjection function, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires low-privilege authentication and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

Technical ContextAI

The vulnerability resides in the StrUtils.java file, specifically in the checkSqlInjection function which is responsible for validating user input to prevent SQL injection attacks. The flaw occurs because the filtersfields parameter is not properly sanitized or parameterized before being used in SQL queries, allowing an authenticated user to inject malicious SQL code. This is a classic SQL injection vulnerability (CWE-89) where insufficient input validation on a critical security function defeats the protection mechanism itself. The CPE indicates all versions of Dromara MaxKey up to 3.5.13 are affected.

RemediationAI

Immediate patching is recommended: upgrade Dromara MaxKey to a version released after 3.5.13 that addresses the SQL injection flaw in StrUtils.checkSqlInjection. Contact Dromara directly for patched release availability given the vendor's reported non-responsiveness to prior disclosure. As an interim compensating control, restrict network access to MaxKey administrative interfaces to trusted networks only, and implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in HTTP requests targeting the filtersfields parameter. Additionally, enforce strong authentication policies to minimize the number of low-privilege accounts with access to MaxKey, and implement database-level SQL injection protections such as prepared statements and parameterized queries where possible. Monitor database query logs for anomalous SQL patterns, particularly those containing UNION, SELECT, or comment sequences in filtersfields parameters. Note: WAF and logging controls mitigate exploitation but do not eliminate the vulnerability; patching remains the definitive remediation.

Share

CVE-2026-7699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy