Medium severity4.7NVD Advisory· Published May 18, 2026· Updated May 18, 2026

CVE-2026-8772

Description

A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Litemall ≤1.8.0 admin list endpoints are vulnerable to SQL injection via the sort and order parameters, allowing attackers to manipulate database queries remotely.

Vulnerability

Litemall up to version 1.8.0 contains a SQL injection vulnerability in multiple admin controller list endpoints. The flaw exists because the sort and order HTTP parameters are directly concatenated into MyBatis Mapper XML files using ${orderByClause} (string interpolation) instead of parameterized queries. The affected endpoints include /admin/aftersale/list, /admin/comment/list, /admin/feedback/list, /admin/topic/list, /admin/ad/list, /admin/coupon/list, /admin/user/list, and /admin/storage/list [1]. No authentication is explicitly mentioned as required to reach these endpoints.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP GET requests to any of the affected admin list endpoints. The sort parameter can contain SQL injection payloads, such as IF(1=1,id,name), which are executed by the MySQL database backend. The proof of concept demonstrates boolean-based blind SQL injection: changing the condition from true to false alters the sort order, confirming successful injection [1]. The attack is network-based and does not require user interaction.

Impact

A successful SQL injection attack could allow an attacker to extract sensitive data from the underlying database, including user information, order details, and other confidential records. The attacker may also be able to modify or delete data, depending on the database user privileges. The impact is information disclosure and potential data integrity compromise.

Mitigation

As of the published date (2026-05-18), the vendor was contacted but did not respond [1]. No official patch or fixed version has been released. Users should apply input validation and use parameterized queries as a workaround, or consider upgrading to a forked or alternative version that addresses this issue. The vulnerability is not listed in the KEV catalog at this time.

References

Litemall ≤ 1.8.0 SQL Injection via orderByClause in Multiple Admin Controllers (CWE-89)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linlinjava/Litemallllm-fuzzy
Range: <=1.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.7/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.31medium

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-8772