Description
A security vulnerability has been detected in weng-xianhu EyouCMS up to 1.7.1. This issue affects some unknown processing of the file /index.php of the component API. Such manipulation of the argument click_like leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-29
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote SQL injection flaw exists in the click_like argument of the /index.php API in weng‑xianhu EyouCMS. Attackers can supply malicious input to the click_like parameter and cause the application to execute arbitrary SQL statements against the backend database. This vulnerability allows the execution of arbitrary database queries but the CVE description does not detail the exact outcome in terms of data confidentiality or integrity.

Affected Systems

The vulnerability affects all releases of weng‑xianhu EyouCMS up to and including version 1.7.1. No later version has been released that mitigates this flaw, and the vendor has yet to provide a fix.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The flaw is reachable via a publicly accessible API endpoint, so remote attackers can exploit it. Successful exploitation would allow the attacker to execute arbitrary SQL queries against the CMS backend database.

Generated by OpenCVE AI on June 29, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply a vendor patch or upgraded EyouCMS release that addresses the click_like injection flaw once it is available.
  • Block or restrict access to the /index.php endpoint or the click_like API using network controls or a web application firewall, limiting requests to trusted IPs or requiring authentication.
  • On the server side, validate or sanitize the click_like parameter so that only expected, harmless values (such as numeric identifiers) are accepted, preventing injection attempts.

Generated by OpenCVE AI on June 29, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Weng-xianhu
Weng-xianhu eyoucms
Vendors & Products Weng-xianhu
Weng-xianhu eyoucms

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in weng-xianhu EyouCMS up to 1.7.1. This issue affects some unknown processing of the file /index.php of the component API. Such manipulation of the argument click_like leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title weng-xianhu EyouCMS API index.php sql injection
First Time appeared Eyoucms
Eyoucms eyoucms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:*
Vendors & Products Eyoucms
Eyoucms eyoucms
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Eyoucms Eyoucms
Weng-xianhu Eyoucms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T14:51:53.636Z

Reserved: 2026-06-28T18:27:41.852Z

Link: CVE-2026-13569

cve-icon Vulnrichment

Updated: 2026-06-29T14:50:50.687Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:24Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')