Description
A vulnerability was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10. Affected by this vulnerability is an unknown functionality of the file /api/Dinner/PayConfig. Performing a manipulation of the argument tableno results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE details an SQL injection flaw in the /api/Dinner/PayConfig endpoint of Shenzhen Sixun Software's Sixun Shanghui Group Business Management System version 10. An attacker can manipulate the tableno parameter to inject arbitrary SQL, potentially gaining unauthorized database access, manipulating records, or reading sensitive data. The flaw falls under CWE‑74 and CWE‑89, indicating unsanitized input leading to executable code injection. Because the vulnerability is exploitable remotely over HTTP, an attacker who can reach the endpoint could compromise the system's confidentiality, integrity, or availability.

Affected Systems

Shenzhen Sixun Software's Sixun Shanghui Group Business Management System, specifically version 10, where the /api/Dinner/PayConfig functionality is vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV, suggesting no confirmed exploitation in the wild yet. Nonetheless, the flaw is publicly known and the vendor has not released a fix; the attack vector appears to be remote over the network, likely through crafted HTTP requests. Because the flaw enables direct SQL injection, successful exploitation could allow an attacker to read or modify database contents, potentially escalating privileges or tampering with business data.

Generated by OpenCVE AI on May 26, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patches or updates as soon as available.
  • Restrict network exposure of the affected endpoint by limiting access to trusted IP ranges or by placing a firewall/WAF in front of the application to block suspicious SQL injection payloads.
  • Review and enforce proper input validation and parameterized queries in the PayConfig code; specifically code the tableno parameter as a numeric type and use prepared statements to eliminate injection risk.
  • Change database credentials and enforce least privilege for the application database account.

Generated by OpenCVE AI on May 26, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10. Affected by this vulnerability is an unknown functionality of the file /api/Dinner/PayConfig. Performing a manipulation of the argument tableno results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Shenzhen Sixun Software Sixun Shanghui Group Business Management System PayConfig sql injection
First Time appeared Shenzhen Sixun Software
Shenzhen Sixun Software sixun Shanghui Group Business Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:shenzhen_sixun_software:sixun_shanghui_group_business_management_system:*:*:*:*:*:*:*:*
Vendors & Products Shenzhen Sixun Software
Shenzhen Sixun Software sixun Shanghui Group Business Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shenzhen Sixun Software Sixun Shanghui Group Business Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-28T13:56:38.295Z

Reserved: 2026-05-26T06:40:48.093Z

Link: CVE-2026-9544

cve-icon Vulnrichment

Updated: 2026-05-28T13:56:31.542Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T14:16:46.537

Modified: 2026-05-26T19:54:40.357

Link: CVE-2026-9544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:30:09Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')