Description
A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-02-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch Now
AI Analysis

Impact

The vulnerability is a remote SQL injection in the Fujian Smart Integrated Management Platform System. A crafted request to /Module/CRXT/Controller/XAccessPermissionPlus.ashx that manipulates the DeviceIDS argument can inject arbitrary SQL. This leads to unauthorized data disclosure or modification, affecting the confidentiality and integrity of the system’s database.

Affected Systems

The affected product is Fujian Smart Integrated Management Platform System, with vulnerable versions up to 7.5 inclusive. No specific patch status is mentioned, so any system running 7.5 or an earlier release may be at risk.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate to high severity. The EPSS score is <1%, suggesting low but non-zero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires remote delivery of a malicious query via the web application, and an attacker can use the publicly available exploit to perform unauthorized database operations.

Generated by OpenCVE AI on April 18, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch when available.
  • Implement input validation and use parameterized queries on DeviceIDS to prevent injection.
  • Restrict network access to the vulnerable endpoint and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fujian
Fujian smart Integrated Management Platform System
Vendors & Products Fujian
Fujian smart Integrated Management Platform System

Fri, 20 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Fujian Smart Integrated Management Platform System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:30:06.183Z

Reserved: 2026-02-19T17:17:49.621Z

Link: CVE-2026-2820

cve-icon Vulnrichment

Updated: 2026-02-20T16:39:14.724Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T02:16:55.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses