Description
A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in Jinher OA C6 allows attackers to manipulate the id/offsnum argument on the OfficeSupplyTypeRight.aspx page, leading to SQL injection. The vulnerability can be triggered remotely, enabling an attacker to read, modify, or delete data within the underlying database, potentially compromising confidentiality, integrity, or availability of sensitive business information. The weakness aligns with CWE-74 URL‑Parameter Manipulation and CWE-89 SQL Injection.

Affected Systems

Jinher OA C6 up to the build dated 20260210 is affected. No specific patch level or version list is included beyond this date. The vulnerability resides in the OfficeSupplyTypeRight.aspx endpoint of the Jinher OA C6 application.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely used exploit has been observed. Attackers would need network or web access to the application and could exploit the flaw remotely by providing crafted requests to the OfficeSupplyTypeRight.aspx endpoint.

Generated by OpenCVE AI on April 17, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch that fixes the SQL injection flaw in OfficeSupplyTypeRight.aspx.
  • Ensure that access to OfficeSupplyTypeRight.aspx is protected by proper authentication and that only authorized personnel can reach it.
  • Implement input validation or use parameterized queries for the id and offsnnum parameters to eliminate the possibility of SQL injection.

Generated by OpenCVE AI on April 17, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Jinher
Jinher oa C6
Vendors & Products Jinher
Jinher oa C6

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Title Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jinher Oa C6
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:50:26.894Z

Reserved: 2026-02-22T07:22:45.351Z

Link: CVE-2026-2963

cve-icon Vulnrichment

Updated: 2026-02-23T13:50:18.292Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T01:16:18.130

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses