CVE-2026-7699 - Vulnerability Details

- Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection

Description

A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-03

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in Dromara MaxKey’s StrUtils.checkSqlInjection method, where a manipulated filtersfields argument can cause arbitrary SQL to be injected into database queries. The flaw is exploitable remotely, as the affected code is reachable over the network. The description confirms that the vendor has not responded to the disclosure. No further evidence is provided regarding specific data that could be accessed or altered; the impact is limited to the information available through the compromised database.

Affected Systems

Versions of Dromara MaxKey up to and including 3.5.13 are affected. The flaw resides in the StrUtils.java component that processes user-supplied filter fields. Administrators should verify whether their deployments run a vulnerable release and plan to upgrade to a fixed version when one becomes available.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. An exploit is publicly available and can be triggered remotely, but no documented real-world attacks have been cited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Organizations running vulnerable versions should consider remediation to avoid potential exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dromara

MaxKey

affected

Version	Status	Constraints
`3.5.0`	affected	—
`3.5.1`	affected	—
`3.5.2`	affected	—
`3.5.3`	affected	—
`3.5.4`	affected	—
`3.5.5`	affected	—
`3.5.6`	affected	—
`3.5.7`	affected	—
`3.5.8`	affected	—
`3.5.9`	affected	—
`3.5.10`	affected	—
`3.5.11`	affected	—
`3.5.12`	affected	—
`3.5.13`	affected	—

No data.

Vendor Product Confidence Versions

Dromara

Maxkey

100%

Version	Status	Scheme	Platform
`3.5.0`	affected	semver	—
`3.5.1`	affected	semver	—
`3.5.2`	affected	semver	—
`3.5.3`	affected	semver	—
`3.5.4`	affected	semver	—
`3.5.5`	affected	semver	—
`3.5.6`	affected	semver	—
`3.5.7`	affected	semver	—
`3.5.8`	affected	semver	—
`3.5.9`	affected	semver	—
`3.5.10`	affected	semver	—
`3.5.11`	affected	semver	—
`3.5.12`	affected	semver	—
`3.5.13`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Dromara MaxKey to a release newer than 3.5.13 when available.
Implement input validation or use parameterized queries to prevent injection when constructing SQL commands, and review the use of StrUtils.checkSqlInjection for user-provided data.
Deploy a web application firewall or similar measures to detect and block common SQL injection patterns.

Generated by OpenCVE AI on May 3, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection
https://vuldb.com/submit/804260
https://vuldb.com/vuln/360868
https://vuldb.com/vuln/360868/cti

History

Mon, 04 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 03 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dromara Dromara maxkey
Vendors & Products		Dromara Dromara maxkey

Sun, 03 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection https://vuldb.com/submit/804260 https://vuldb.com/vuln/360868 https://vuldb.com/vuln/360868/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Dromara Maxkey

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-03T14:00:17.835Z

Updated: 2026-05-04T13:21:09.093Z

Reserved: 2026-05-02T20:13:29.047Z

Link: CVE-2026-7699

Vulnrichment

Updated: 2026-05-04T13:21:01.157Z

NVD

Status : Deferred

Published: 2026-05-03T15:15:59.483

Modified: 2026-05-05T19:11:29.130

Link: CVE-2026-7699

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-03T17:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object