Description
A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is the function getListByPage of the file /index/Search/index.html. Executing a manipulation of the argument keyword can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Remote SQL Injection
Action: Patch ASAP
AI Analysis

Impact

A flaw in dameng100 muucmf 1.9.5.20260309 allows an attacker to inject arbitrary SQL through the keyword argument of the getListByPage function in /index/Search/index.html. The vulnerability is a classic SQL injection (CWE-89) and may also involve improper neutralization of special elements (CWE-74). An unauthenticated attacker can supply a crafted value and potentially read, modify or delete data in the backend database, compromising confidentiality and integrity.

Affected Systems

Dameng100 muucmf 1.9.5.20260309 is the only version explicitly listed as affected. The vulnerable component is the getListByPage function accessed via the web interface at /index/Search/index.html.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate impact, but an exploit has already been published and may be used by remote attackers. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by sending a malicious keyword parameter to the getListByPage endpoint; no special privileges are required, making the risk broader for exposed systems.

Generated by OpenCVE AI on April 19, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and sanitize the keyword argument to getListByPage, using parameterized queries or prepared statements to eliminate SQL injection possibilities.
  • Apply or upgrade to a vendor-patched version of dameng100 muucmf; if no patch exists, consider upgrading to the latest release or replacing the component.
  • Restrict external access to the Search endpoint by implementing firewall rules or network segmentation, and disable the endpoint if it is not required for business operations.

Generated by OpenCVE AI on April 19, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is the function getListByPage of the file /index/Search/index.html. Executing a manipulation of the argument keyword can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title dameng100 muucmf index.html getListByPage sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T08:15:11.633Z

Reserved: 2026-04-18T16:00:40.218Z

Link: CVE-2026-6562

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T09:16:10.100

Modified: 2026-04-19T09:16:10.100

Link: CVE-2026-6562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-19T09:30:23Z

Weaknesses