Description
A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Yonyou KSOA 9.0, affecting an HTTP GET parameter handler in the folder.jsp file. An attacker can manipulate the folderid argument to inject a SQL statement, resulting in a classic SQL injection flaw that compromises confidentiality and integrity of the database and may allow unauthorized data retrieval or modification.

Affected Systems

The flaw affects Yonyou KSOA version 9.0. The affected component is the /kmf/folder.jsp file within the HTTP GET parameter handler of the KSOA application.

Risk and Exploitability

The entry has a CVSS score of 6.9, indicating moderate severity. An EPSS score below 1% and no listing in the CISA KEV catalog suggest that the likelihood of exploitation remains low at this time. The vulnerability is exploitable remotely via a crafted HTTP GET request, and can be publicly exploited if no mitigations are applied.

Generated by OpenCVE AI on April 18, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Yonyou KSOA to the latest patched release that addresses the SQL injection flaw
  • Restrict external access to the web application by configuring firewall or VPN controls to allow only trusted hosts to issue HTTP GET requests on folder.jsp
  • Implement input validation or a web application firewall rule to sanitize the folderid parameter and block malformed or potentially harmful queries
  • Monitor application logs for suspicious SQL activity and configure alerts for anomalous query patterns

Generated by OpenCVE AI on April 18, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yonyou:ksoa:*:*:*:*:*:*:*:*

Fri, 06 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Yonyou
Yonyou ksoa
Vendors & Products Yonyou
Yonyou ksoa

Mon, 19 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yonyou KSOA HTTP GET Parameter folder.jsp sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yonyou Ksoa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:40:44.400Z

Reserved: 2026-01-18T07:13:54.296Z

Link: CVE-2026-1133

cve-icon Vulnrichment

Updated: 2026-01-20T15:27:28.400Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T03:16:02.023

Modified: 2026-02-06T19:41:25.857

Link: CVE-2026-1133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses