CVE-2026-2663 - Vulnerability Details

- Alixhan xh-admin-backend Database Query query sql injection

Description

A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-18

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Alixhan xh-admin-backend component that allows an attacker to manipulate the request argument sent to the /frontend-api/system-service/api/system/role/query endpoint. This manipulation leads to unparameterized SQL queries, enabling an attacker to execute arbitrary SQL statements. The primary impact of exploiting this flaw is unauthorized data exposure, potential data modification, and possible privilege escalation if the database user has elevated rights. The weakness is classified under CWE-74 and CWE-89, indicating raw data usage in a database query without proper sanitization.

Affected Systems

The affected product is Alixhan xh-admin-backend version 1.7.0 and prior releases. Users running any version up to 1.7.0 should consider themselves at risk, as the flaw resides in the Database Query Handler processing component.

Risk and Exploitability

The CVSS score of 5.3 denotes medium severity, and the EPSS score indicates a very low likelihood of automated exploitation at the current report time, though the vulnerability has been publicly disclosed. Attackers can launch the exploit remotely by sending crafted HTTP requests to the vulnerable endpoint; no local prerequisites are documented. The vulnerability is not listed in the CISA KEV catalog, but the public disclosure suggests it is actively known in the community.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Alixhan

xh-admin-backend

affected

Version	Status	Constraints
`1.0`	affected	—
`1.1`	affected	—
`1.2`	affected	—
`1.3`	affected	—
`1.4`	affected	—
`1.5`	affected	—
`1.6`	affected	—
`1.7.0`	affected	—

No data.

Vendor Product Confidence Versions

Alixhan

Xh-admin-backend

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—
`1.1`	affected	generic	—
`1.2`	affected	generic	—
`1.3`	affected	generic	—
`1.4`	affected	generic	—
`1.5`	affected	generic	—
`1.6`	affected	generic	—
`1.7.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Alixhan xh-admin-backend to a version newer than 1.7.0 that contains the fix for the SQL injection flaw.
If an upgrade is not immediately possible, implement input validation or parameterized query handling for the /frontend-api/system-service/api/system/role/query endpoint to prevent raw user input from reaching the database layer.
Restrict the database account used by the backend to only the minimum privileges required for normal operation, thereby limiting the potential impact if an injection succeeds.

Generated by OpenCVE AI on April 17, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.346461
https://vuldb.com/?id.346461
https://vuldb.com/?submit.753225

History

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Alixhan Alixhan xh-admin-backend
Vendors & Products		Alixhan Alixhan xh-admin-backend

Wed, 18 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Alixhan xh-admin-backend Database Query query sql injection
Weaknesses		CWE-74 CWE-89
References		https://vuldb.com/?ctiid.346461 https://vuldb.com/?id.346461 https://vuldb.com/?submit.753225
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Alixhan Xh-admin-backend

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-18T19:32:09.406Z

Updated: 2026-02-23T10:19:26.187Z

Reserved: 2026-02-18T07:43:08.772Z

Link: CVE-2026-2663

Vulnrichment

Updated: 2026-02-18T20:04:14.165Z

NVD

Status : Deferred

Published: 2026-02-18T20:18:36.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2663

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object