Medium severity4.7NVD Advisory· Published May 18, 2026· Updated May 18, 2026

CVE-2026-8773

Description

A security vulnerability has been detected in linlinjava litemall up to 1.8.0. Affected by this vulnerability is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java of the component Database Setting Handler. The manipulation of the argument db/password leads to argument injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Argument injection in litemall's DbUtil allows remote attackers to write arbitrary files via crafted db or password parameters.

Vulnerability

A security vulnerability exists in linlinjava litemall up to version 1.8.0. The backup() and load() functions in litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java directly concatenate the db and password parameters into a Runtime.exec() call without sanitization. This allows argument injection into the mysqldump and mysql commands. The affected code path is reachable via the Database Setting Handler, which can be triggered remotely [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted db or password parameters to the backup/load functionality. No authentication is required if the handler is exposed. The attacker injects additional command-line arguments (e.g., --result-file) into the executed command. The proof-of-concept demonstrates that injecting --result-file=/tmp/arbitrary_file.txt via the db parameter creates a file on the server [1].

Impact

Successful exploitation allows an attacker to write arbitrary files to the server's filesystem with the privileges of the application process. This could lead to further compromise, such as overwriting configuration files or planting malicious code. The impact is limited to file write; no remote code execution is demonstrated in the available references [1].

Mitigation

As of the publication date, the vendor has not responded to disclosure and no patch is available. Users should restrict network access to the Database Setting Handler, sanitize all input parameters, or avoid using Runtime.exec() with string concatenation. Affected versions are linlinjava/litemall up to 1.8.0 [1].

References

Litemall ≤ 1.8.0 Argument Injection in DbUtil.java (CWE-88)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linlinjava/Litemallllm-fuzzy
Range: <=1.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.7/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.31medium

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CVE ID

CVE-2026-8773