CVE-2026-37428

Vulnerability

Details

CVE-2026-37428 is a SQL injection vulnerability in the qihang-wms (启航电商WMS) application, specifically in the SysDeptMapper.xml file. The root cause is the use of ${param.dataScope} in a MyBatis mapper, which directly interpolates user-supplied input into SQL queries without proper sanitization or parameterization [1][2]. This allows an attacker to inject arbitrary SQL commands through the datascope parameter.

Exploitation

The vulnerability is triggered via an HTTP GET request to the /prod-api/system/role/list endpoint, where the params[dataScope] parameter is passed with malicious SQL payloads [2]. The attacker must be authenticated, as evidenced by the required Bearer token in the Authorization header [2]. The injection is blind Boolean-based, enabling the attacker to infer database contents by observing response differences.

Impact

Successful exploitation grants the attacker the ability to extract sensitive information from the database, including user Personally Identifiable Information (PII), account credentials, and transaction data [1][2]. The attacker may also escalate privileges to DBA level, potentially compromising the entire database server.

Mitigation

As of the publication date, no official patch has been released for this vulnerability. The affected commit is 75c15a, and users are advised to apply input validation and use parameterized queries to mitigate the risk. The vendor's website is qihangerp.cn [2].