Description
A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown function of the file /wms-master/src/basic/depart/depart_add_bg.php of the component Basic Organizational Structure Module. Performing a manipulation of the argument Name results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection leading to data exposure
Action: Apply Patch
AI Analysis

Impact

An attacker can manipulate the Name parameter in the depart_add_bg.php script, allowing arbitrary SQL commands to be executed against the database. The vulnerability may be exploited remotely without authentication, leading to potential data exposure and unauthorized database access. This corresponds to CWE-89 (SQL Injection) and may also involve CWE-74 (SQL Injection via Unescaped Input).

Affected Systems

The affected product is FeMiner WMS, version 1.0 and earlier, as identified in the file /wms-master/src/basic/depart/depart_add_bg.php. No official vendor response was publicly available, and the vulnerability is currently disclosed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, and its exploit is publicly available. Attackers can exploit it over the network by sending crafted requests to the Name parameter, achieving unauthorized SQL execution.

Generated by OpenCVE AI on March 18, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or upgrade to a version newer than 1.0
  • Restrict network access to the /wms-master/src/basic/depart/depart_add_bg.php endpoint until a patch is available
  • Implement a Web Application Firewall or input validation to block malicious 'Name' parameters
  • Monitor logs for unusual database activity
  • Contact vendor for acknowledgment and patch release

Generated by OpenCVE AI on March 18, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Feminer
Feminer wms
Vendors & Products Feminer
Feminer wms

Thu, 12 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown function of the file /wms-master/src/basic/depart/depart_add_bg.php of the component Basic Organizational Structure Module. Performing a manipulation of the argument Name results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title FeMiner wms Basic Organizational Structure depart_add_bg.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Feminer Wms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T16:21:32.572Z

Reserved: 2026-03-11T13:49:01.872Z

Link: CVE-2026-3969

cve-icon Vulnrichment

Updated: 2026-03-12T16:21:28.947Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T01:15:55.203

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:22Z

Weaknesses