Description
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: SQL injection allowing unauthorized database access
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in YunaiV yudao-cloud allows attackers to manipulate the 'Website' parameter in the /admin-api/system/tenant/get-by-website endpoint, leading to arbitrary SQL code execution. The flaw can be exploited remotely, enabling attackers to read, modify, or delete data stored in the database. Because the code injection is not sanitized, it can expose sensitive information or compromise internal data integrity.

Affected Systems

Affected systems are instances of YunaiV yudao-cloud running versions up to 2026.01. The vulnerability exists in an unspecified component of /admin-api/system/tenant/get-by-website, which is part of the admin API. Users of any unpatched version within that range are at risk. No other products or versions were listed.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium to high severity. EPSS is not available, but the exploit has been released publicly and can be conducted over the network. The vulnerability is not currently cataloged in the CISA KEV list, yet it remains a significant risk. Attackers can send crafted requests to the vulnerable endpoint from any network location that can reach the API, making the attack vector remote and straightforward.

Generated by OpenCVE AI on March 30, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest YunaiV yudao-cloud patch that resolves the SQL injection flaw.
  • If a patch is not available, block or restrict access to the vulnerable API endpoint to trusted networks only.
  • Monitor logs for suspicious query activity and investigate any anomalies.

Generated by OpenCVE AI on March 30, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title YunaiV yudao-cloud get-by-website sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T18:45:13.981Z

Reserved: 2026-03-30T13:23:47.648Z

Link: CVE-2026-5147

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T19:16:27.690

Modified: 2026-03-30T19:16:27.690

Link: CVE-2026-5147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:14Z

Weaknesses