Description
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII) via a crafted SQL statement.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw has been identified in the qihang-wms application, specifically through the datascope parameter in the SysUserMapper.xml file. Crafted SQL statements inserted via this parameter enable attackers to read sensitive database records, including personally identifiable information of users. The weakness stems from improper handling of user input, allowing a classic data‑exfiltration vector that compromises confidentiality.

Affected Systems

The vulnerability targets the qihang-wms system on commit 75c15a. No other vendors or product variants appear in the CNA data, so the primary affected product is the qihang-wms application as referenced in the advisory.

Risk and Exploitability

The CVE carries a CVSS score of 6.5, indicating medium severity, and it is not listed in the CISA KEV catalog. An EPSS score is not available, so the likelihood of exploitation is indeterminate from current data. The likely attack vector is a web‑based request that includes a malicious datascope value, though the description does not specify whether authentication is required to submit this parameter.

Generated by OpenCVE AI on May 13, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch that validates or parameterizes the datascope input, or upgrade to a newer qihang-wms release that contains this fix
  • Implement input sanitization to escape or reject characters that could alter SQL syntax
  • Ensure the database account used by the application has only the minimum privileges necessary to perform its intended functions

Generated by OpenCVE AI on May 13, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Qiliping
Qiliping qihang-wms
Vendors & Products Qiliping
Qiliping qihang-wms

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title qihang-wms SQL Injection via datascope Parameter Exposing PII

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title qihang-wms SQL Injection via datascope Parameter Exposing PII
Weaknesses CWE-89

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII) via a crafted SQL statement.
References

Subscriptions

Qiliping Qihang-wms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T18:24:11.511Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37429

cve-icon Vulnrichment

Updated: 2026-05-13T18:24:07.710Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T14:17:32.287

Modified: 2026-05-13T19:17:12.330

Link: CVE-2026-37429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:22Z

Weaknesses