Description
A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the getUserList endpoint of youlaitech youlai-boot and allows an attacker to manipulate argument order, resulting in an uncontrolled SQL injection. This flaw can be triggered remotely. If exploited, an attacker could execute arbitrary SQL statements against the database, potentially revealing sensitive user data or altering application data.

Affected Systems

Applications built with youlaitech youlai-boot version 2.21.1 or earlier are vulnerable. The issue is present in all releases up to and including 2.21.1; any latter release that addresses the flaw would no longer be affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The remote attack vector and presence of SQL injection weaknesses (CWE-74 and CWE-89) suggest that exploitation can be achieved by sending crafted requests to the getUserList endpoint, especially when the service is exposed to the Internet.

Generated by OpenCVE AI on May 3, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading to a version that fixes the getUserList SQL injection flaw (consult the vendor or source repository for the latest release).
  • Ensure that all input parameters to the getUserList endpoint are validated and bound using parameterized queries or prepared statements to eliminate manual string concatenation.
  • Limit external access to the getUserList endpoint by configuring firewall rules or a web application firewall to allow traffic only from trusted IP addresses or networks.

Generated by OpenCVE AI on May 3, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title youlaitech youlai-boot Users Endpoint UserController.java getUserList sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T00:00:41.088Z

Reserved: 2026-05-02T08:20:55.923Z

Link: CVE-2026-7672

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T00:16:16.317

Modified: 2026-05-03T00:16:16.317

Link: CVE-2026-7672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T02:00:13Z

Weaknesses