VYPR
← All advisories
High severity8.8OSV Advisory· Published Jun 17, 2024· Updated Apr 15, 2026

CVE-2024-37896

CVE-2024-37896

Description

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.6.5 has SQL injection vulnerability. The SQL injection vulnerabilities occur when a web application allows users to input data into SQL queries without sufficiently validating or sanitizing the input. Failing to properly enforce restrictions on user input could mean that even a basic form input field can be used to inject arbitrary and potentially dangerous SQL commands. This could lead to unauthorized access to the database, data leakage, data manipulation, or even complete compromise of the database server. This vulnerability has been addressed in commit 53d033821 which has been included in release version 2.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gin-vue-admin ≤ v2.6.5 has a SQL injection vulnerability in the exportExcel API via the unsanitized 'order' parameter, allowing database compromise.

Vulnerability

Gin-vue-admin, a backstage management system, contains a SQL injection vulnerability in versions up to and including v2.6.5. The flaw resides in the SysExportTemplateService.ExportExcel function, where the order parameter from user input is passed directly to an SQL ORDER BY clause without sufficient validation or sanitization [1][2]. This allows an attacker to inject arbitrary SQL commands.

Exploitation

The attack vector is the /api/sysExportTemplate/exportExcel endpoint [2]. By manipulating the order parameter in the request, an unauthenticated or authenticated user can inject malicious SQL code. The vulnerability requires no special privileges beyond network access to the API [2].

Impact

Successful exploitation can lead to unauthorized access to the database, data leakage, data manipulation, and potentially full compromise of the database server. Given the severity (CVSS 8.8), the risk to confidentiality, integrity, and availability is high [2].

Mitigation

The issue has been addressed in commit 53d033821 [1], which introduces validation to ensure the order parameter only references existing table columns and restricts ordering directions to ASC/DESC. This fix is included in release version 2.6.6 [2]. Users should upgrade immediately; no workarounds are available [2].

References
  1. feature:修复已知安全问题。 · flipped-aurora/gin-vue-admin@53d0338
  2. SQL injection vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
53d033821888
https://github.com/flipped-aurora/gin-vue-adminvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.