{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2820", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-19T17:17:49.621Z", "datePublished": "2026-02-20T02:02:08.371Z", "dateUpdated": "2026-02-23T10:30:06.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:30:06.183Z"}, "title": "Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Fujian", "product": "Smart Integrated Management Platform System", "versions": [{"version": "7.0", "status": "affected"}, {"version": "7.1", "status": "affected"}, {"version": "7.2", "status": "affected"}, {"version": "7.3", "status": "affected"}, {"version": "7.4", "status": "affected"}, {"version": "7.5", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-19T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-22T07:44:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "lanmeik (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346945", "name": "VDB-346945 | Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346945", "name": "VDB-346945 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753397", "name": "Submit #753397 | Fuzhou Yinda Yunchuang Information Technology Smart Integrated Management Platform System 7.5 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/introduce", "tags": ["broken-link"]}, {"url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/poc.py", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:38:52.927957Z", "id": "CVE-2026-2820", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:39:20.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2820", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T16:38:52.927957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:39:14.724Z"}}], "cna": {"title": "Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "lanmeik (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Fujian", "product": "Smart Integrated Management Platform System", "versions": [{"status": "affected", "version": "7.0"}, {"status": "affected", "version": "7.1"}, {"status": "affected", "version": "7.2"}, {"status": "affected", "version": "7.3"}, {"status": "affected", "version": "7.4"}, {"status": "affected", "version": "7.5"}]}], "timeline": [{"lang": "en", "time": "2026-02-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-19T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-22T07:44:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346945", "name": "VDB-346945 | Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346945", "name": "VDB-346945 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753397", "name": "Submit #753397 | Fuzhou Yinda Yunchuang Information Technology Smart Integrated Management Platform System 7.5 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/introduce", "tags": ["broken-link"]}, {"url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/poc.py", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:30:06.183Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2820", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:30:06.183Z", "dateReserved": "2026-02-19T17:17:49.621Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-20T02:02:08.371Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto un fallo de seguridad en el sistema Fujian Smart Integrated Management Platform System hasta la versi\u00f3n 7.5. Este problema afecta a un procesamiento desconocido del archivo /Module/CRXT/Controller/XAccessPermissionPlus.ashx. Manipular el argumento DeviceIDS provoca una inyecci\u00f3n SQL. El ataque puede ser lanzado de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques."}], "id": "CVE-2026-2820", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-20T02:16:55.593", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/introduce"}, {"source": "cna@vuldb.com", "url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/poc.py"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346945"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346945"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.753397"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0,7.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Smart Integrated Management Platform System", "source": "cna", "vendor": "Fujian"}, "product": "smart_integrated_management_platform_system", "vendor": "fujian"}], "analysis": {"en": {"generated_at": "2026-04-18T11:35:31.668028+00:00", "value": {"mitigation_remediation": ["Apply vendor patch when available.", "Implement input validation and use parameterized queries on DeviceIDS to prevent injection.", "Restrict network access to the vulnerable endpoint and monitor logs for suspicious activity."], "summary": {"action": "Patch Now", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Fujian Smart Integrated Management Platform System, with vulnerable versions up to 7.5 inclusive. No specific patch status is mentioned, so any system running 7.5 or an earlier release may be at risk.", "description_and_impact": "The vulnerability is a remote SQL injection in the Fujian Smart Integrated Management Platform System. A crafted request to /Module/CRXT/Controller/XAccessPermissionPlus.ashx that manipulates the DeviceIDS argument can inject arbitrary SQL. This leads to unauthorized data disclosure or modification, affecting the confidentiality and integrity of the system\u2019s database.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a moderate to high severity. The EPSS score is <1%, suggesting low but non-zero exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires remote delivery of a malicious query via the web application, and an attacker can use the publicly available exploit to perform unauthorized database operations."}}}}, "created": "2026-02-20T09:52:53.390414+00:00", "updated": "2026-04-18T11:45:44.589448+00:00", "vendors": ["fujian", "fujian$PRODUCT$smart_integrated_management_platform_system"]}