Description
A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a remote attacker to inject arbitrary SQL statements through the "comid" parameter in the /mine/PublicReport/prinReport.html endpoint of the Tsinghua Unigroup Electronic Archives System. The injected SQL can read, modify, or delete data in the underlying database, potentially exposing confidential information or corrupting records. The flaw is a classic input validation weakness, classified as CWE-89.

Affected Systems

Tsinghua Unigroup Electronic Archives System, versions up to 3.2.210802 (62532). The specific function within the system that processes the "comid" argument is impacted, but the product name and affected versions are identified by the vendor as "Electronic Archives System."

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at this moment. However, the vulnerability is publicly disclosed, with proof‑of‑concept code available on GitHub and references on vuldb. The vendor did not respond to notifications, so no official fix has been released yet. Because the vulnerable endpoint can be accessed remotely and the exploit code is already in the public domain, organizations that run this software face a non‑negligible risk of data compromise if no mitigation is applied.

Generated by OpenCVE AI on April 17, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult the vendor for an official patch or upgrade to a version newer than 3.2.210802 (62532); apply the update as soon as it becomes available.
  • If no patch is available, restrict or block external access to /mine/PublicReport/prinReport.html and implement strict input validation or parameterized queries for the "comid" parameter to prevent injection.
  • Place the Electronic Archives System behind additional network controls such as a VPN or IP‑based firewall, and monitor database activity for suspicious queries.

Generated by OpenCVE AI on April 17, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Unigroup
Unigroup electronic Archives System
CPEs cpe:2.3:a:unigroup:electronic_archives_system:*:*:*:*:*:*:*:*
Vendors & Products Unigroup
Unigroup electronic Archives System

Thu, 19 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Tsinghua Unigroup
Tsinghua Unigroup electronic Archives System
Vendors & Products Tsinghua Unigroup
Tsinghua Unigroup electronic Archives System

Wed, 18 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tsinghua Unigroup Electronic Archives System prinReport.html sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tsinghua Unigroup Electronic Archives System
Unigroup Electronic Archives System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:25:54.393Z

Reserved: 2026-02-18T13:36:24.335Z

Link: CVE-2026-2682

cve-icon Vulnrichment

Updated: 2026-02-19T16:11:52.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T23:16:21.100

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses