{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2963", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-22T07:22:45.351Z", "datePublished": "2026-02-23T00:32:13.932Z", "dateUpdated": "2026-02-23T13:50:26.894Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T00:32:13.932Z"}, "title": "Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Jinher", "product": "OA C6", "versions": [{"version": "20260210", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-22T08:27:48.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "smitug01 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.347330", "name": "VDB-347330 | Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347330", "name": "VDB-347330 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.755216", "name": "Submit #755216 | Jinher C6 v1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuln.ricky.place/Jinher/C6/", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T13:50:13.440108Z", "id": "CVE-2026-2963", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T13:50:26.894Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2963", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T13:50:13.440108Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T13:50:18.292Z"}}], "cna": {"title": "Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "smitug01 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "Jinher", "product": "OA C6", "versions": [{"status": "affected", "version": "20260210"}]}], "timeline": [{"lang": "en", "time": "2026-02-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-22T08:27:48.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.347330", "name": "VDB-347330 | Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.347330", "name": "VDB-347330 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.755216", "name": "Submit #755216 | Jinher C6 v1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuln.ricky.place/Jinher/C6/", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T00:32:13.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2963", "state": "PUBLISHED", "dateUpdated": "2026-02-23T13:50:26.894Z", "dateReserved": "2026-02-22T07:22:45.351Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-23T00:32:13.932Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en Jinher OA C6 hasta 20260210. El problema afecta a alg\u00fan procesamiento desconocido del archivo /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. Si se manipula el argumento id/offsnum se provoca una inyecci\u00f3n SQL. Es posible iniciar el ataque en remoto. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Se sugiere instalar un parche para abordar este problema. El proveedor fue contactado con antelaci\u00f3n sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-2963", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-23T01:16:18.130", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.347330"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.347330"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.755216"}, {"source": "cna@vuldb.com", "url": "https://vuln.ricky.place/Jinher/C6/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "20260210"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OA C6", "source": "cna", "vendor": "Jinher"}, "product": "oa_c6", "vendor": "jinher"}], "analysis": {"en": {"generated_at": "2026-04-17T16:25:47.585657+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch that fixes the SQL injection flaw in OfficeSupplyTypeRight.aspx.", "Ensure that access to OfficeSupplyTypeRight.aspx is protected by proper authentication and that only authorized personnel can reach it.", "Implement input validation or use parameterized queries for the id and offsnnum parameters to eliminate the possibility of SQL injection."], "summary": {"action": "Apply Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "Jinher OA C6 up to the build dated 20260210 is affected. No specific patch level or version list is included beyond this date. The vulnerability resides in the OfficeSupplyTypeRight.aspx endpoint of the Jinher OA C6 application.", "description_and_impact": "A flaw in Jinher OA C6 allows attackers to manipulate the id/offsnum argument on the OfficeSupplyTypeRight.aspx page, leading to SQL injection. The vulnerability can be triggered remotely, enabling an attacker to read, modify, or delete data within the underlying database, potentially compromising confidentiality, integrity, or availability of sensitive business information. The weakness aligns with CWE-74 URL\u2011Parameter Manipulation and CWE-89 SQL Injection.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely used exploit has been observed. Attackers would need network or web access to the application and could exploit the flaw remotely by providing crafted requests to the OfficeSupplyTypeRight.aspx endpoint."}}}}, "created": "2026-02-23T14:28:30.932829+00:00", "updated": "2026-04-17T16:30:05.835836+00:00", "vendors": ["jinher", "jinher$PRODUCT$oa_c6"]}