Description
A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw triggered by manipulating the DeptIDList argument in the UserSel.aspx page of Jinher OA. The defect allows an attacker to inject arbitrary SQL statements into queries against the underlying database, which can result in unauthorized data disclosure, data tampering, or potentially the creation of new database users. This weakness is identified as CWE-74 (Data Query Manipulation) and CWE-89 (SQL Injection).

Affected Systems

The affected product is Jinher OA version 1.0, specifically the UserSel.aspx component located under /C6/JHSoft.Web.PlanSummarize/. No additional product or version details are provided in the advisory.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high impact if exploited. The EPSS score is not available, so the statistical likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA KEV. However, the description notes that the exploit has been published and could be used remotely. As the vendor did not respond with a patch, an attacker with network access to the application can likely leverage this flaw unless mitigated by controls.

Generated by OpenCVE AI on May 2, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict network access to Jinher OA by limiting exposure of UserSel.aspx to trusted IP ranges.
  • Deploy a web application firewall or equivalent filtering to detect and block common SQL injection payloads.
  • Configure the application code to use parameterized queries or prepared statements for all database interactions.
  • Monitor application and database logs for anomalous query patterns and investigate any suspicious activity.

Generated by OpenCVE AI on May 2, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Jinher OA UserSel.aspx sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T22:15:13.667Z

Reserved: 2026-05-02T08:07:18.540Z

Link: CVE-2026-7670

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T23:16:16.860

Modified: 2026-05-02T23:16:16.860

Link: CVE-2026-7670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T23:30:05Z

Weaknesses