Description
A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in FeMiner Warehouse Management System in the chkuser.php file. An attacker can manipulate the Username argument to inject arbitrary SQL via the web interface, enabling remote execution of database commands. This flaw allows an attacker to read, modify or delete data, thereby compromising confidentiality, integrity, and potentially availability of the underlying database.

Affected Systems

The flaw affects all FeMiner Warehouse Management System releases up to the commit identified by 9cad1f1b179a98b9547fd003c23b07c7594775fa. Version specifics are not published because the product follows a rolling release model. All installations deployed before the fix remain vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates medium severity. With an EPSS score below 1% the likelihood of exploitation is low, and the flaw is not currently listed in CISA’s KEV catalog, suggesting no widespread, publicly available exploits. However, the vulnerability is exploitable remotely over the network, requiring only access to the affected endpoint. Attackers could potentially inject SQL statements through the Username parameter, gain unauthorized data access or alter data if the database privileges are excessive. The lack of input validation and the absence of prepared statements enable the injection, consistent with CWE‑89.

Generated by OpenCVE AI on April 18, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FeMiner release that contains the fix for the chkuser.php SQL injection.
  • Deploy or configure a Web Application Firewall to detect and block malicious SQL payloads targeting the Username parameter.
  • Refactor the application code to use prepared statements or properly escape all user-supplied input, especially for the Username field.
  • Restrict the database account used by FeMiner to the minimum privileges required for normal operation, limiting the potential damage of an injected query.

Generated by OpenCVE AI on April 18, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Feminer
Feminer warehouse Management System
CPEs cpe:2.3:a:feminer:warehouse_management_system:*:*:*:*:*:*:*:*
Vendors & Products Feminer
Feminer warehouse Management System

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Feminor
Feminor wms
Vendors & Products Feminor
Feminor wms

Sat, 17 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Title FeMiner wms chkuser.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Feminer Warehouse Management System
Feminor Wms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:33:38.585Z

Reserved: 2026-01-16T19:04:21.251Z

Link: CVE-2026-1059

cve-icon Vulnrichment

Updated: 2026-01-21T18:52:01.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-17T19:15:50.917

Modified: 2026-02-06T20:13:21.787

Link: CVE-2026-1059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses