Skip to main content

litemall CVE-2026-8772

| EUVDEUVD-2026-30718 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-18 cna@vuldb.com GHSA-5x7m-fp78-pgfp
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 00:28 vuln.today

DescriptionCVE.org

A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in linlinjava litemall 1.8.0 and earlier allows high-privileged remote attackers to read and modify database contents via crafted requests to multiple Admin Endpoint functions. Public exploit code available (EPSS probability unknown from provided data). Attack requires administrative credentials (PR:H) but achieves confidentiality, integrity, and availability impact on vulnerable component (VC:L/VI:L/VA:L). Despite CVSS 4.0 score of 2.0 (Low severity due to high privilege requirement), the existence of public POC and lack of vendor response elevates practical risk for installations where admin accounts may be compromised.

Technical ContextAI

litemall is a Java-based Spring Boot e-commerce mall system. The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as SQL injection in the administrative backend. The Admin Endpoint likely uses unsanitized user input in SQL queries, allowing attackers with administrative access to inject malicious SQL commands. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L) but requires high privileges (PR:H), limiting the attack surface to scenarios where admin credentials are already compromised through credential theft, phishing, or insider threat. Multiple admin endpoints are affected, suggesting systemic input validation failures rather than an isolated coding error.

RemediationAI

No vendor-released patch identified at time of analysis - vendor did not respond to disclosure per VulDB report. Primary mitigation: Implement parameterized queries or prepared statements in all Admin Endpoint database interactions to prevent SQL injection. Code-level fix required in application source. Compensating controls for deployed instances: (1) Enforce multi-factor authentication on all administrative accounts to reduce credential compromise risk (trade-off: user friction, deployment complexity); (2) Restrict admin panel access to specific internal IP ranges via firewall rules or web application firewall (trade-off: limits remote administration, may break legitimate workflows); (3) Deploy database activity monitoring to detect anomalous SQL queries from admin sessions (trade-off: operational overhead, potential false positives); (4) Apply principle of least privilege - create role-based admin accounts with minimal necessary database permissions rather than full superuser access (trade-off: may require application code changes to support granular roles); (5) Consider migrating to actively maintained e-commerce platforms if vendor remains unresponsive. Monitor GitHub repository github.com/linlinjava/litemall for community patches. Reference public exploit analysis at https://gist.github.com/A1AAAAAAAAAA1/bc875f5be52b44b2e557c5312e355d47 and VulDB technical details at https://vuldb.com/vuln/364397/cti for attack surface understanding.

Share

CVE-2026-8772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy