CVE-2026-11412
Description
SQL injection vulnerability in Jinher OA C6's GetFormSn.aspx allows remote attackers to execute arbitrary SQL queries via the queryID parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Jinher OA C6's GetFormSn.aspx allows remote attackers to execute arbitrary SQL queries via the queryID parameter.
Vulnerability
A SQL injection vulnerability exists in Jinher OA C6 within the /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx file. The vulnerability arises because the application does not properly validate or filter the queryID parameter, allowing special characters to be directly executed in database queries [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By manipulating the queryID parameter with specially crafted SQL statements, an attacker can trigger a time-based delay in the database response, confirming the vulnerability and potentially exfiltrating data [1].
Impact
Successful exploitation of this SQL injection vulnerability allows an attacker to execute arbitrary SQL commands on the underlying database. This could lead to unauthorized data access, modification, or deletion, depending on the privileges of the database user associated with the Jinher OA application.
Mitigation
No patched version or specific mitigation details have been disclosed in the available references. The vendor was contacted but did not respond. It is recommended to restrict access to the affected application until a patch is available.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly filter user-submitted data, leading to SQL injection."
Attack vector
An attacker can exploit this vulnerability by sending a crafted request to the `/C6/JHSoft.Web.ModuleCount/GetFormSn.aspx` endpoint. The vulnerability lies in the `queryID` parameter, which is not validated or filtered for special characters. By manipulating this parameter with SQL injection payloads, an attacker can execute arbitrary SQL commands on the database. The advisory indicates that unauthorized access is allowed, and the exploit can be performed remotely [ref_id=1].
Affected code
The vulnerability exists in the `GetFormSn.aspx` file within the `/C6/JHSoft.Web.ModuleCount/` directory. Specifically, the `queryID` parameter is susceptible to SQL injection due to a lack of proper input validation and filtering of special characters [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory does not specify any remediation steps or fixes from the vendor, who did not respond to the disclosure [ref_id=1]. Users are advised to consult the vendor for potential solutions.
Preconditions
- inputThe `queryID` parameter must be manipulated with SQL injection payloads.
- authUnauthorized access is allowed [ref_id=1].
Reproduction
1. Unauthorized access is allowed 2. By examining the admin/print.php code, it was discovered that the id parameter was concatenated in the SQL statement 3. When the database name is other, the delay changes significantly The current database name can be determined as C6 through delay. [ref_id=1]
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.