Skip to main content

qihang-wms EUVDEUVD-2026-29948

| CVE-2026-37429 MEDIUM
SQL Injection (CWE-89)
2026-05-13 mitre GHSA-vm77-62fc-6c28
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:39 vuln.today
CVSS changed
May 13, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII) via a crafted SQL statement.

AnalysisAI

SQL injection in qihang-wms (commit 75c15a) exposes sensitive database contents, including user PII, to unauthenticated remote attackers via the datascope parameter in SysUserMapper.xml. The vulnerability requires no authentication, no user interaction, and is reachable over the network, making automated exploitation feasible. SSVC assessment confirms exploitation has not been observed and EPSS sits at 0.03% (9th percentile), indicating low current exploitation interest despite the permissive attack surface.

Technical ContextAI

qihang-wms is a Chinese e-commerce warehouse management system. The vulnerability resides in SysUserMapper.xml, a MyBatis ORM mapper file - a Java persistence framework that constructs SQL from XML-defined templates. MyBatis is susceptible to SQL injection when dynamic query fragments (e.g., ${} interpolation rather than #{} parameterized binding) are used without sanitization. The datascope parameter appears to be passed directly into a SQL clause without parameterization, satisfying CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The affected product version is pinned to a specific Git commit (75c15a) rather than a named release, indicating this is an open-source project tracked by commit hash. CPE data returned as n/a means no official NVD product tree entry exists for this software, complicating automated scanner detection.

RemediationAI

No vendor-released patched version has been identified at time of analysis; the fix version is not independently confirmed from available data. Organizations running qihang-wms at or before commit 75c15a should review the SysUserMapper.xml file and convert any ${} dynamic SQL interpolation on the datascope parameter to MyBatis parameterized #{} bindings, which enforce prepared statement semantics and eliminate injection. As a compensating control, restrict network access to the WMS application to trusted internal networks only, preventing unauthenticated internet-facing exploitation - this directly counters the AV:N/PR:N attack vector but does not fix the underlying flaw. Additionally, apply database least-privilege principles: ensure the WMS database account cannot read user PII tables beyond application requirements. The researcher disclosure is documented at https://github.com/Y4y17/CVE/blob/main/%E5%90%AF%E8%88%AA%E7%94%B5%E5%95%86WMS/SQL%20Injection%20Vulnerability%20-%202.md and https://gist.github.com/Y4y17/6587147a37eba5b31de832e067f317ef, which may contain additional technical detail useful for patch verification.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-29948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy