Skip to main content

qihang-wms EUVDEUVD-2026-29946

| CVE-2026-37428 MEDIUM
SQL Injection (CWE-89)
2026-05-13 mitre GHSA-pj9f-375x-gx35
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:50 vuln.today
CVSS changed
May 13, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII).

AnalysisAI

SQL injection in qihang-wms (commit 75c15a) via the unsanitized datascope parameter in SysDeptMapper.xml allows remote database access without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated, network-accessible, low-complexity exploitation yielding partial confidentiality and integrity impact, including exposure of users' PII from the backend database. Publicly available exploit code exists via GitHub-hosted writeups and proof-of-concept scripts, though EPSS sits at 0.03% (9th percentile) and SSVC reports no confirmed active exploitation at time of analysis.

Technical ContextAI

qihang-wms (启航电商WMS) is a Chinese-language warehouse management system built on a Java stack with MyBatis as its ORM layer. MyBatis defines SQL queries in XML mapper files; when developers use the ${param} interpolation syntax instead of the safe #{param} parameterized syntax, user-supplied input is concatenated directly into the SQL string. The datascope parameter in SysDeptMapper.xml is the specific injection point, likely used to filter department-scope queries dynamically. CWE-89 (Improper Neutralization of Special Elements in SQL Commands) is the root cause class. No formal CPE entry exists (listed as cpe:2.3:a:n/a:n/a), and affected version data is tied solely to commit 75c15a of the qihang-wms repository with no broader version range confirmed by available intelligence.

RemediationAI

No vendor-released patch has been identified at time of analysis; the fix status for qihang-wms beyond commit 75c15a is unconfirmed. The primary code-level fix is to replace string-concatenated SQL in SysDeptMapper.xml with MyBatis parameterized syntax - specifically, changing ${datascope} references to #{datascope}, which causes MyBatis to use prepared statements and prevents injection. As a compensating control, implement strict input allowlisting for the datascope parameter at the application layer, restricting it to expected enumerated values (e.g., department ID integers), which will break injection payloads but may affect legitimate functionality if the parameter accepts arbitrary scope expressions. Deploying a WAF with SQL injection detection rules targeting the vulnerable endpoint provides an additional layer but is not a substitute for code fixes and may generate false positives on legitimate queries containing SQL-like terms. Restrict network access to qihang-wms to internal networks only if internet exposure is not required. The researcher's technical writeup is available at https://github.com/Y4y17/CVE/blob/main/%E5%90%AF%E8%88%AA%E7%94%B5%E5%95%86WMS/SQL%20injection%20vulnerability-1.md and additional POC material at https://gist.github.com/Y4y17/6587147a37eba5b31de832e067f317ef.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-29946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy