Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII).
AnalysisAI
SQL injection in qihang-wms (commit 75c15a) via the unsanitized datascope parameter in SysDeptMapper.xml allows remote database access without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated, network-accessible, low-complexity exploitation yielding partial confidentiality and integrity impact, including exposure of users' PII from the backend database. Publicly available exploit code exists via GitHub-hosted writeups and proof-of-concept scripts, though EPSS sits at 0.03% (9th percentile) and SSVC reports no confirmed active exploitation at time of analysis.
Technical ContextAI
qihang-wms (启航电商WMS) is a Chinese-language warehouse management system built on a Java stack with MyBatis as its ORM layer. MyBatis defines SQL queries in XML mapper files; when developers use the ${param} interpolation syntax instead of the safe #{param} parameterized syntax, user-supplied input is concatenated directly into the SQL string. The datascope parameter in SysDeptMapper.xml is the specific injection point, likely used to filter department-scope queries dynamically. CWE-89 (Improper Neutralization of Special Elements in SQL Commands) is the root cause class. No formal CPE entry exists (listed as cpe:2.3:a:n/a:n/a), and affected version data is tied solely to commit 75c15a of the qihang-wms repository with no broader version range confirmed by available intelligence.
RemediationAI
No vendor-released patch has been identified at time of analysis; the fix status for qihang-wms beyond commit 75c15a is unconfirmed. The primary code-level fix is to replace string-concatenated SQL in SysDeptMapper.xml with MyBatis parameterized syntax - specifically, changing ${datascope} references to #{datascope}, which causes MyBatis to use prepared statements and prevents injection. As a compensating control, implement strict input allowlisting for the datascope parameter at the application layer, restricting it to expected enumerated values (e.g., department ID integers), which will break injection payloads but may affect legitimate functionality if the parameter accepts arbitrary scope expressions. Deploying a WAF with SQL injection detection rules targeting the vulnerable endpoint provides an additional layer but is not a substitute for code fixes and may generate false positives on legitimate queries containing SQL-like terms. Restrict network access to qihang-wms to internal networks only if internet exposure is not required. The researcher's technical writeup is available at https://github.com/Y4y17/CVE/blob/main/%E5%90%AF%E8%88%AA%E7%94%B5%E5%95%86WMS/SQL%20injection%20vulnerability-1.md and additional POC material at https://gist.github.com/Y4y17/6587147a37eba5b31de832e067f317ef.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29946
GHSA-pj9f-375x-gx35