Description
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII).
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the SysDeptMapper.xml file of the qihang-wms application, specifically triggered by the datascope parameter during commit 75c15a. This flaw allows an attacker to inject arbitrary SQL statements, potentially reading, modifying, or deleting database content and exposing sensitive user information, including personally identifiable data.

Affected Systems

The vulnerability is found in the qihang-wms application. No vendor or product name beyond the application itself is provided by the CVE entry. Any instance using the SysDeptMapper.xml configuration and the vulnerable commit is affected.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via a web interface or API that accepts the datascope parameter without proper validation. An attacker who can send crafted requests may extract sensitive database records, compromising confidentiality. Because the flaw resides in the application layer, success requires access to the exposed endpoint, though the exploit script could be automated once the target is identified.

Generated by OpenCVE AI on May 13, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update qihang-wms to a version that eliminates the vulnerable datascope parameter or applies the official patch once released.
  • Restrict network access to the affected endpoint using firewall rules or application layer controls until a patch or fix is applied.
  • Sanitize and validate all input to the datascope parameter to ensure only expected values are accepted, thereby blocking malicious SQL injection attempts.

Generated by OpenCVE AI on May 13, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Qiliping
Qiliping qihang-wms
Vendors & Products Qiliping
Qiliping qihang-wms

Wed, 13 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in qihang-wms Exposing PII

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in qihang-wms Exposes PII
Weaknesses CWE-200

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in qihang-wms Exposes PII
Weaknesses CWE-200
CWE-89

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII).
References

Subscriptions

Qiliping Qihang-wms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T18:23:22.488Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37428

cve-icon Vulnrichment

Updated: 2026-05-13T18:23:16.535Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T14:17:27.320

Modified: 2026-05-13T19:17:12.127

Link: CVE-2026-37428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:23Z

Weaknesses