CVE-2026-37429
Description
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII) via a crafted SQL statement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in qihang-wms commit 75c15a via the datascope parameter in SysUserMapper.xml enables attackers to extract sensitive database information, including user PII.
Vulnerability
Overview
CVE-2026-37429 is a SQL injection vulnerability found in the qihang-wms (启航电商WMS) application, specifically in commit 75c15a. The root cause is the use of the ${param.dataScope} construct in the SysUserMapper.xml file, which directly interpolates user-supplied input into SQL queries without proper sanitization or parameterization [1][2]. This allows an attacker to inject arbitrary SQL commands via the params[dataScope] parameter. The vulnerability is present in the /system/user/list endpoint of the application [2].
Exploitation
Exploitation
Method
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the /prod-api/system/user/list endpoint with a malicious params[dataScope] value. The request requires a valid authentication token (Bearer or Admin-Token), meaning an attacker must first obtain access to an authenticated session [2]. Once authenticated, the attacker can inject SQL payloads such as and length(database())=11 to infer information about the database, enabling a blind SQL injection approach to extract data character by character [2].
Impact
Successful exploitation allows the attacker to retrieve arbitrary data from the database, including users' Personally Identifiable Information (PII), accounts, transaction details, and other sensitive information [2]. The vulnerability could also potentially lead to obtaining database administration (DBA) privileges, compromising the entire backend database [2]. This exposure is especially dangerous for an e-commerce WMS system, as it can leak sensitive customer and business data.
Mitigation
Status
As of the published date (2026-05-13), the vulnerability exists in the specific commit 75c15a of the qihang-wms project. No patch or vendor advisory has been referenced in the available sources. Users are advised to review their application's MyBatis mapper files, replace ${} parameter interpolation with safe #{} parameterized statements, and ensure that authentication tokens are protected from unauthorized access [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = commit 75c15a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.