CVE-2026-11480
Description
SQL injection vulnerability in BeikeShop Admin Design Builder Endpoint allows remote attackers to execute arbitrary SQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in BeikeShop Admin Design Builder Endpoint allows remote attackers to execute arbitrary SQL queries.
Vulnerability
A SQL injection vulnerability exists in the Admin Design Builder Endpoint of Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22. The issue resides in the beike/Admin/Routes/admin.php file, specifically when manipulating the settings.value argument, which can lead to SQL injection. The attack can be initiated remotely.
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the settings.value argument within the Admin Design Builder Endpoint. The specific function impacted is not detailed, but the manipulation allows for the injection of malicious SQL code.
Impact
Successful exploitation of this vulnerability allows an attacker to perform SQL injection, potentially leading to the disclosure of sensitive information, modification of data, or even remote code execution, depending on the privileges of the affected database user.
Mitigation
A patch is available, identified by the commit hash 2fa9805411088069fcc3b0c15b2f1f33d6e09958 [1]. It is recommended to deploy this patch to fix the issue. The exact version containing the fix is not specified, but it addresses vulnerabilities in versions up to 1.6.0.22.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.6.0.22
Patches
12fa980541108fix: sanitize design module ids to prevent second-order SQL injection
3 files changed · +41 −1
beike/Repositories/BrandRepo.php+4 −0 modified@@ -173,6 +173,10 @@ public static function getNames($ids): array */ public static function getListByIds($ids) { + $ids = array_values(array_filter(array_map('intval', (array) $ids), function ($id) { + return $id > 0; + })); + if (empty($ids)) { return []; }
beike/Repositories/ProductRepo.php+4 −1 modified@@ -126,7 +126,10 @@ public static function getBuilder(array $filters = []): Builder $builder->where('brand_id', $brandId); } - $productIds = $filters['product_ids'] ?? []; + $productIds = array_values(array_filter(array_map('intval', (array) ($filters['product_ids'] ?? [])), function ($id) { + return $id > 0; + })); + if ($productIds) { $builder->whereIn('products.id', $productIds);
beike/Services/DesignService.php+33 −0 modified@@ -37,6 +37,8 @@ public static function handleRequestModules($modulesData): array $moduleData['view_path'] = ''; } + $moduleData = self::sanitizeModuleData($moduleData); + $modulesData[$index] = $moduleData; } @@ -329,4 +331,35 @@ private static function handleLink($type, $value): string { return type_route($type, $value); } + + private static function sanitizeModuleData(array $moduleData): array + { + $code = $moduleData['code'] ?? ''; + $content = $moduleData['content'] ?? []; + + if (! is_array($content)) { + return $moduleData; + } + + if ($code == 'brand') { + $content['brands'] = self::sanitizeIds($content['brands'] ?? []); + } elseif ($code == 'product') { + $content['products'] = self::sanitizeIds($content['products'] ?? []); + } + + $moduleData['content'] = $content; + + return $moduleData; + } + + private static function sanitizeIds($ids): array + { + if (! is_array($ids)) { + return []; + } + + return array_values(array_filter(array_map('intval', $ids), function ($id) { + return $id > 0; + })); + } }
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied IDs before using them in SQL queries, leading to SQL injection."
Attack vector
An attacker can remotely exploit this vulnerability by manipulating the 'settings.value' argument within the Admin Design Builder Endpoint. This manipulation allows for the injection of malicious SQL code, which is then executed by the application. The vulnerability is present in the file beike/Admin/Routes/admin.php. The exploit has been made public and could be used by attackers [ref_id=1].
Affected code
The vulnerability resides in the Admin Design Builder Endpoint, specifically within the file beike/Admin/Routes/admin.php. The patch modifies `beike/Services/DesignService.php`, `beike/Repositories/ProductRepo.php`, and `beike/Repositories/BrandRepo.php` to address the SQL injection flaw [patch_id=5164435].
What the fix does
The patch introduces sanitization logic to the design module IDs before they are used in database queries. Specifically, the `sanitizeModuleData` and `sanitizeIds` functions are added to `beike/Services/DesignService.php`. These functions ensure that only valid integer IDs are passed to the repository methods, preventing the injection of malicious SQL. The `ProductRepo.php` and `BrandRepo.php` files also have their ID handling updated to filter and cast input IDs to integers, ensuring they are positive and valid [patch_id=5164435].
Preconditions
- authThe attacker needs to have low privileges (PR:L) to access the affected endpoint.
- networkThe vulnerability can be exploited remotely (AV:N).
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.