CVE-2026-11480 - Vulnerability Details

- Chengdu Everbrite Network Technology BeikeShop Admin Design Builder Endpoint admin.php sql injection

Description

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. Impacted is an unknown function of the file beike/Admin/Routes/admin.php of the component Admin Design Builder Endpoint. Performing a manipulation of the argument settings.value results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 2fa9805411088069fcc3b0c15b2f1f33d6e09958. To fix this issue, it is recommended to deploy a patch.

Published: 2026-06-08

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A second‑order SQL injection flaw has been discovered in the Chengdu Everbrite Network Technology BeikeShop component located at beike/Admin/Routes/admin.php. The vulnerability is triggered by manipulating the argument settings.value within an unknown function of that file, enabling the injection of arbitrary SQL statements into the backend database. If successfully abused, an attacker can read, modify, or delete data stored by the application, potentially leading to data compromise and loss of integrity.

Affected Systems

All deployments of BeikeShop version 1.6.0.22 or earlier are impacted. The flaw resides specifically in the admin endpoint of the Admin Design Builder component and requires access to the administrative interface via the settings.value parameter.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not provided, but the vulnerability is publicly documented and a working exploit exists. Because the flaw is remotely exploitable through a standard web request and the attack surface is exposed in the administrative interface, the likelihood of exploitation is moderate to high in environments where the admin endpoint is either publicly reachable or insufficiently protected.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Chengdu Everbrite Network Technology

BeikeShop

affected

Version	Status	Constraints
`1.6.0.0`	affected	—
`1.6.0.1`	affected	—
`1.6.0.2`	affected	—
`1.6.0.3`	affected	—
`1.6.0.4`	affected	—
`1.6.0.5`	affected	—
`1.6.0.6`	affected	—
`1.6.0.7`	affected	—
`1.6.0.8`	affected	—
`1.6.0.9`	affected	—
`1.6.0.10`	affected	—
`1.6.0.11`	affected	—
`1.6.0.12`	affected	—
`1.6.0.13`	affected	—
`1.6.0.14`	affected	—
`1.6.0.15`	affected	—
`1.6.0.16`	affected	—
`1.6.0.17`	affected	—
`1.6.0.18`	affected	—
`1.6.0.19`	affected	—
`1.6.0.20`	affected	—
`1.6.0.21`	affected	—
`1.6.0.22`	affected	—

No data.

Vendor Product Confidence Versions

Chengdu Everbrite Network Technology

Beikeshop

90%

Version	Status	Scheme	Platform
`1.6.0.0`	affected	generic	—
`1.6.0.1`	affected	generic	—
`1.6.0.2`	affected	generic	—
`1.6.0.3`	affected	generic	—
`1.6.0.4`	affected	generic	—
`1.6.0.5`	affected	generic	—
`1.6.0.6`	affected	generic	—
`1.6.0.7`	affected	generic	—
`1.6.0.8`	affected	generic	—
`1.6.0.9`	affected	generic	—
`1.6.0.10`	affected	generic	—
`1.6.0.11`	affected	generic	—
`1.6.0.12`	affected	generic	—
`1.6.0.13`	affected	generic	—
`1.6.0.14`	affected	generic	—
`1.6.0.15`	affected	generic	—
`1.6.0.16`	affected	generic	—
`1.6.0.17`	affected	generic	—
`1.6.0.18`	affected	generic	—
`1.6.0.19`	affected	generic	—
`1.6.0.20`	affected	generic	—
`1.6.0.21`	affected	generic	—
`1.6.0.22`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch identified by commit 2fa9805411088069fcc3b0c15b2f1f33d6e09958 or upgrade to a BeikeShop version newer than 1.6.0.22.
Implement strict input validation and escaping for all user‑supplied data, especially the settings.value argument, to eliminate injection vectors.
Restrict access to the admin.php endpoint to trusted IP ranges or authenticated roles only, and consider network segmentation or a WAF to block unauthorized requests.

Generated by OpenCVE AI on June 8, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://anonymous.4open.science/r/beikeshop-4B75/second-order-sqli-report.md
https://github.com/beikeshop/beikeshop/commit/2fa9805411088069fcc3b0c15b2f1f33d6e09958
https://vuldb.com/cve/CVE-2026-11480
https://vuldb.com/submit/833973
https://vuldb.com/vuln/369100
https://vuldb.com/vuln/369100/cti

History

Mon, 08 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. Impacted is an unknown function of the file beike/Admin/Routes/admin.php of the component Admin Design Builder Endpoint. Performing a manipulation of the argument settings.value results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 2fa9805411088069fcc3b0c15b2f1f33d6e09958. To fix this issue, it is recommended to deploy a patch.
Title		Chengdu Everbrite Network Technology BeikeShop Admin Design Builder Endpoint admin.php sql injection
First Time appeared		Chengdu Everbrite Network Technology Chengdu Everbrite Network Technology beikeshop
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop::::::::
Vendors & Products		Chengdu Everbrite Network Technology Chengdu Everbrite Network Technology beikeshop
References		https://anonymous.4open.science/r/beikeshop-4B75/second-order-sqli-report.md https://github.com/beikeshop/beikeshop/commit/2fa9805411088069fcc3b0c15b2f1f33d6e09958 https://vuldb.com/cve/CVE-2026-11480 https://vuldb.com/submit/833973 https://vuldb.com/vuln/369100 https://vuldb.com/vuln/369100/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Chengdu Everbrite Network Technology Beikeshop

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T02:30:11.142Z

Updated: 2026-06-08T02:30:11.142Z

Reserved: 2026-06-07T09:53:15.168Z

Link: CVE-2026-11480

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T03:16:20.363

Modified: 2026-06-08T03:16:20.363

Link: CVE-2026-11480

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T07:00:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object