Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in linlinjava litemall 1.8.0 and earlier allows high-privileged remote attackers to read and modify database contents via crafted requests to multiple Admin Endpoint functions. Public exploit code available (EPSS probability unknown from provided data). Attack requires administrative credentials (PR:H) but achieves confidentiality, integrity, and availability impact on vulnerable component (VC:L/VI:L/VA:L). Despite CVSS 4.0 score of 2.0 (Low severity due to high privilege requirement), the existence of public POC and lack of vendor response elevates practical risk for installations where admin accounts may be compromised.
Technical ContextAI
litemall is a Java-based Spring Boot e-commerce mall system. The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as SQL injection in the administrative backend. The Admin Endpoint likely uses unsanitized user input in SQL queries, allowing attackers with administrative access to inject malicious SQL commands. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L) but requires high privileges (PR:H), limiting the attack surface to scenarios where admin credentials are already compromised through credential theft, phishing, or insider threat. Multiple admin endpoints are affected, suggesting systemic input validation failures rather than an isolated coding error.
RemediationAI
No vendor-released patch identified at time of analysis - vendor did not respond to disclosure per VulDB report. Primary mitigation: Implement parameterized queries or prepared statements in all Admin Endpoint database interactions to prevent SQL injection. Code-level fix required in application source. Compensating controls for deployed instances: (1) Enforce multi-factor authentication on all administrative accounts to reduce credential compromise risk (trade-off: user friction, deployment complexity); (2) Restrict admin panel access to specific internal IP ranges via firewall rules or web application firewall (trade-off: limits remote administration, may break legitimate workflows); (3) Deploy database activity monitoring to detect anomalous SQL queries from admin sessions (trade-off: operational overhead, potential false positives); (4) Apply principle of least privilege - create role-based admin accounts with minimal necessary database permissions rather than full superuser access (trade-off: may require application code changes to support granular roles); (5) Consider migrating to actively maintained e-commerce platforms if vendor remains unresponsive. Monitor GitHub repository github.com/linlinjava/litemall for community patches. Reference public exploit analysis at https://gist.github.com/A1AAAAAAAAAA1/bc875f5be52b44b2e557c5312e355d47 and VulDB technical details at https://vuldb.com/vuln/364397/cti for attack surface understanding.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30718
GHSA-5x7m-fp78-pgfp