Description
A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in Yonyou KSOA 9.0’s /worksheet/worksadd.jsp allows an attacker to inject arbitrary SQL through the ID parameter, which is passed to a database query without proper sanitization. This flaw is an SQL injection (CWE‑89) with improper input handling (CWE‑74).

Affected Systems

The affected product is Yonyou KSOA version 9.0, specifically the HTTP GET Parameter Handler component and the worksadd.jsp file; no other versions or subcomponents are listed as vulnerable.

Risk and Exploitability

The base CVSS score of 6.9 indicates moderate severity. The EPSS score is below 1%, suggesting a very low exploitation probability at the moment, and the vulnerability is not yet in the CISA KEV catalog. However, the exploit is public and can be performed remotely, meaning a successful attack could lead to unauthorized data modification or exposure, or denial of service.

Generated by OpenCVE AI on April 18, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a fixed version of Yonyou KSOA as soon as it becomes available.
  • If a patch is not yet released, limit access to the /worksheet/worksadd.jsp endpoint by firewall rules or role‑based access control and enforce input validation that rejects suspicious SQL syntax on the ID parameter.
  • Deploy a Web Application Firewall with rules to detect and block SQL injection attempts targeting the worksadd.jsp endpoint.

Generated by OpenCVE AI on April 18, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yonyou:ksoa:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Yonyou
Yonyou ksoa
Vendors & Products Yonyou
Yonyou ksoa

Mon, 19 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yonyou Ksoa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:39:56.591Z

Reserved: 2026-01-18T07:13:36.202Z

Link: CVE-2026-1129

cve-icon Vulnrichment

Updated: 2026-01-20T15:36:36.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T01:16:00.833

Modified: 2026-02-10T17:01:08.443

Link: CVE-2026-1129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses