CVE-2026-2821 - Vulnerability Details

- Fujian Smart Integrated Management Platform System XCamera.ashx sql injection

Description

A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of the argument ChannelName causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-20

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to manipulate the ChannelName parameter in the XCamera.ashx endpoint to inject arbitrary SQL commands. When the attack succeeds, the attacker can read, modify or delete data stored in the underlying database, potentially compromising confidentiality, integrity, or availability of system information. The flaw is a classic SQL injection described by CWE‑74 and CWE‑89.

Affected Systems

Fujian Smart Integrated Management Platform System, versions up to 7.5, includes the XCamera.ashx handler under /Module/CRXT/Controller/. The affected function is undocumented, but any installation of the platform prior to 7.5 runs with the vulnerable component.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. EPSS shows a very low exploitation probability of less than 1%. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to send a specially crafted HTTP request to the vulnerable endpoint, which is reachable from the internet or internal network, and has no known mitigations in place. Consequently, the risk is considered moderate but manageable with prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fujian

Smart Integrated Management Platform System

affected

Version	Status	Constraints
`7.0`	affected	—
`7.1`	affected	—
`7.2`	affected	—
`7.3`	affected	—
`7.4`	affected	—
`7.5`	affected	—

No data.

Vendor Product Confidence Versions

Fujian

Smart Integrated Management Platform System

100%

Version	Status	Scheme	Platform
`7.0`	affected	generic	—
`7.1`	affected	generic	—
`7.2`	affected	generic	—
`7.3`	affected	generic	—
`7.4`	affected	generic	—
`7.5`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Fujian patch that addresses the XCamera.ashx SQL injection flaw.
If a patch is unavailable, restrict or block external access to /Module/CRXT/Controller/XCamera.ashx using the web server or firewall rules.
Implement a web application firewall or regex‑based input filtering to reject malicious SQL patterns targeting the ChannelName parameter.

Generated by OpenCVE AI on April 17, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/introduce
https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/poc.py
https://vuldb.com/?ctiid.346946
https://vuldb.com/?id.346946
https://vuldb.com/?submit.753405

History

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fujian Fujian smart Integrated Management Platform System
Vendors & Products		Fujian Fujian smart Integrated Management Platform System

Fri, 20 Feb 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of the argument ChannelName causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title		Fujian Smart Integrated Management Platform System XCamera.ashx sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/introduce https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/poc.py https://vuldb.com/?ctiid.346946 https://vuldb.com/?id.346946 https://vuldb.com/?submit.753405
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Fujian Smart Integrated Management Platform System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-20T02:32:06.771Z

Updated: 2026-02-23T10:30:19.990Z

Reserved: 2026-02-19T17:17:52.448Z

Link: CVE-2026-2821

Vulnrichment

Updated: 2026-02-20T15:32:32.734Z

NVD

Status : Deferred

Published: 2026-02-20T03:16:02.137

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2821

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object