Description
A weakness has been identified in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This patch is called 42bcb9463425d1be906c3b290cf29885eb5a2324. A patch should be applied to remediate this issue.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

The affected code in ProductIndexServiceImpl allows an attacker to supply crafted input in the sidx/sort parameter, causing unsanitized data to be injected into a SQL statement. This flaw can lead to a remote SQL injection attack that is publicly available and may enable attackers to read, modify, or delete data stored in the database. It directly compromises confidentiality and integrity of the application's data records, as reflected by the identified CWE-74 and CWE-89 weaknesses.

Affected Systems

The vulnerability impacts the shsuishang modulithshop open‑source e‑commerce application. All releases up to revision 829bac71f507e84684c782b9b062b8bf3b5585d6 are affected. Because the project follows a rolling release model, no specific version numbers are published; deployments prior to commit 42bcb9463425d1be906c3b290cf29885eb5a2324 remain vulnerable.

Risk and Exploitability

With a CVSS score of 5.3 the issue is of medium severity, and no EPSS score is available. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely through the listItem endpoint, and a public exploit has already been released online. Regularly applying the referenced patch or upgrading to a newer commit is essential to mitigate this risk.

Generated by OpenCVE AI on April 2, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 42bcb9463425d1be906c3b290cf29885eb5a2324 or upgrade to a release published after this commit.
  • Verify that the sidx/sort parameter is now sanitized and that SQL queries are constructed safely, for example by using prepared statements or parameterized queries.
  • If an immediate patch cannot be applied, monitor traffic to the listItem endpoint for suspicious SQL‑like payloads and implement input validation or a web application firewall rule to block injection attempts.
  • Continuously monitor the modulithshop repository, vulnerability databases, and security advisories for further updates or new findings.

Generated by OpenCVE AI on April 2, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Shsuishang
Shsuishang shopsuite Modulithshop
Vendors & Products Shsuishang
Shsuishang shopsuite Modulithshop

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This patch is called 42bcb9463425d1be906c3b290cf29885eb5a2324. A patch should be applied to remediate this issue.
Title shsuishang modulithshop ProductItemDao ProductIndexServiceImpl.java listItem sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shsuishang Shopsuite Modulithshop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T13:31:24.614Z

Reserved: 2026-04-01T13:29:33.027Z

Link: CVE-2026-5328

cve-icon Vulnrichment

Updated: 2026-04-02T13:16:18.318Z

cve-icon NVD

Status : Received

Published: 2026-04-02T13:16:27.400

Modified: 2026-04-02T13:16:27.400

Link: CVE-2026-5328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:25Z

Weaknesses