Description
A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-06
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft an HTTP request that sets the httpOID parameter to an arbitrary value, injecting SQL code into the backend query. This can lead to the execution of arbitrary SQL statements, enabling unauthorized data disclosure, modification, or deletion. The weakness is a classic injection flaw (CWE-74 and CWE-89) that targets web input handling and database interaction.

Affected Systems

The affected software is Jinher OA, specifically version 1.0 as identified in the advisory, though the issue may apply to other releases that share the same vulnerable code in nextselectplan.aspx.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity overall. No EPSS data is available, but the vulnerability is publicly disclosed and can be triggered remotely without authentication, meaning an attacker could exploit it from the Internet. The lack of a KEV listing suggests no evidence of widespread exploitation yet, yet the potential for data compromise remains significant.

Generated by OpenCVE AI on June 6, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Jinher OA patch or upgrade to a release that includes the SQL injection fix; if no patch is available, restrict network access to the application or implement a boundary firewall that limits exposure to trusted IPs.
  • Deploy a Web Application Firewall tuned to block common SQL injection patterns and monitor HTTP traffic for anomalous httpOID values.
  • Modify the application to validate and sanitize the httpOID parameter or rewrite the database query to use parameterized statements, ensuring that user input cannot alter the intended SQL logic.

Generated by OpenCVE AI on June 6, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Jinher OA nextselectplan.aspx sql injection
First Time appeared Jinher
Jinher oa
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:jinher:oa:*:*:*:*:*:*:*:*
Vendors & Products Jinher
Jinher oa
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jinher Oa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T15:15:09.677Z

Reserved: 2026-06-05T22:08:29.266Z

Link: CVE-2026-11435

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T16:16:54.550

Modified: 2026-06-06T16:16:54.550

Link: CVE-2026-11435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T16:30:24Z

Weaknesses