ByteOS Network

Vulnerability Details :

CVE-2026-8773

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-18 May, 2026 | 00:00

Updated At-18 May, 2026 | 00:00

linlinjava litemall Database Setting DbUtil.java load argument injection

A security vulnerability has been detected in linlinjava litemall up to 1.8.0. Affected by this vulnerability is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java of the component Database Setting Handler. The manipulation of the argument db/password leads to argument injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:VulDB

Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5

Published At:18 May, 2026 | 00:00

Updated At:18 May, 2026 | 00:00

▼CVE Numbering Authority (CNA)

linlinjava litemall Database Setting DbUtil.java load argument injection

Affected Products

Vendor

linlinjava

Product

litemall

CPEs

cpe:2.3:a:linlinjava:litemall:*:*:*:*:*:*:*:*

Modules

Database Setting Handler

Versions

Affected

1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8.0

Problem Types

Type	CWE ID	Description
CWE	CWE-88	Argument Injection
CWE	CWE-74	Injection

Type: CWE

CWE ID: CWE-88

Description: Argument Injection

Type: CWE

CWE ID: CWE-74

Description: Injection

Metrics

Version	Base score	Base severity	Vector
4.0	5.1	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.1	4.7	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.0	4.7	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.0	5.8	N/A	AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Version: 4.0

Base score: 5.1

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 4.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Version: 3.0

Base score: 4.7

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Version: 2.0

Base score: 5.8

Base severity: N/A

Vector:

AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Credits

reporter

berna (VulDB User)

coordinator

VulDB CNA Team

Timeline

Event	Date
Advisory disclosed	2026-05-17 00:00:00
VulDB entry created	2026-05-17 02:00:00
VulDB entry last update	2026-05-17 11:41:30

Event: Advisory disclosed

Date: 2026-05-17 00:00:00

Event: VulDB entry created

Date: 2026-05-17 02:00:00

Event: VulDB entry last update

Date: 2026-05-17 11:41:30

References

Hyperlink	Resource
https://vuldb.com/vuln/364398	vdb-entry technical-description
https://vuldb.com/vuln/364398/cti	signature permissions-required
https://vuldb.com/submit/811469	third-party-advisory
https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b	exploit

Hyperlink: https://vuldb.com/vuln/364398

Resource:

vdb-entry

technical-description

Hyperlink: https://vuldb.com/vuln/364398/cti

Resource:

signature

permissions-required

Hyperlink: https://vuldb.com/submit/811469

Resource:

third-party-advisory

Hyperlink: https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b

Resource:

exploit

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cna@vuldb.com

Published At:18 May, 2026 | 00:16

Updated At:18 May, 2026 | 00:16

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	2.0	LOW	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	4.7	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Secondary	2.0	5.8	MEDIUM	AV:N/AC:L/Au:M/C:P/I:P/A:P

Type: Secondary

Version: 4.0

Base score: 2.0

Base severity: LOW

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 4.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Type: Secondary

Version: 2.0

Base score: 5.8

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:M/C:P/I:P/A:P

Weaknesses

CWE ID	Type	Source
CWE-74	Primary	cna@vuldb.com
CWE-88	Primary	cna@vuldb.com

CWE ID: CWE-74

Type: Primary

Source: cna@vuldb.com

CWE ID: CWE-88

Type: Primary

Source: cna@vuldb.com

References

Hyperlink	Source	Resource
https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b	cna@vuldb.com	N/A
https://vuldb.com/submit/811469	cna@vuldb.com	N/A
https://vuldb.com/vuln/364398	cna@vuldb.com	N/A
https://vuldb.com/vuln/364398/cti	cna@vuldb.com	N/A

Hyperlink: https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/submit/811469

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/vuln/364398

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/vuln/364398/cti

Source: cna@vuldb.com

Resource: N/A

Similar CVEs

212Records found

CVE-2024-11658

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.95% / 76.63%

7 Day CHG~0.00%

Published-25 Nov, 2024 | 06:00

Updated-12 Feb, 2025 | 15:33

EnGenius ENH1350EXT/ENS500-AC/ENS620EXT ajax_getChannelList command injection

A vulnerability has been found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/network/ajax_getChannelList. The manipulation of the argument countryCode leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor-engeniustech EnGenius engeniustech

Product-ens620ext ens500-ac_firmware enh1350ext_firmware enh1350ext ens500-ac ens620ext_firmware ENH1350EXT ENS500-AC ENS620EXT enh1350ext_firmware ens500-ac_firmware ens620ext_firmware

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2020-4027

Matching Score-4

Assigner-Atlassian

View Details

Matching Score-4

Assigner-Atlassian

CVSS Score-4.7||MEDIUM

EPSS-0.15% / 34.87%

7 Day CHG~0.00%

Published-01 Jul, 2020 | 01:35

Updated-17 Sep, 2024 | 01:56

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.

Vendor-Atlassian

Product-confluence_server confluence Confluence Server Confluence Data Center

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2024-10946

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.19% / 40.19%

7 Day CHG~0.00%

Published-07 Nov, 2024 | 03:31

Updated-11 Dec, 2024 | 19:58

Guangzhou Tuchuang Computer Software Development Interlib Library Cluster Automation Management System SysLib sql injection

A vulnerability classified as critical has been found in Guangzhou Tuchuang Computer Software Development Interlib Library Cluster Automation Management System up to 2.0.1. This affects an unknown part of the file /interlib/admin/SysLib?cmdACT=inputLIBCODE&mod=batchXSL&xsl=editLIBCODE.xsl&libcodes=&ROWID=. The manipulation of the argument sql leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor-guangzhou_tuchuang Guangzhou Tuchuang Computer Software Development tcsoft

Product-interlib Interlib Library Cluster Automation Management System interlib_library_cluster_automation_management_system

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2025-2664

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.05% / 16.55%

7 Day CHG~0.00%

Published-23 Mar, 2025 | 21:00

Updated-13 May, 2025 | 20:10

CodeZips Hospital Management System suadpeted.php sql injection

A vulnerability was found in CodeZips Hospital Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /suadpeted.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Vendor-CodeZips

Product-hospital_management_system Hospital Management System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-2389

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.15% / 35.13%

7 Day CHG~0.00%

Published-17 Mar, 2025 | 18:31

Updated-23 Oct, 2025 | 20:06

code-projects Blood Bank Management System add_city.php sql injection

A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_city.php. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Vendor-Fabian Ros Source Code & Projects

Product-blood_bank_management_system Blood Bank Management System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-14939

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.02% / 5.31%

7 Day CHG-0.03%

Published-19 Dec, 2025 | 04:02

Updated-24 Dec, 2025 | 14:54

code-projects Online Appointment Booking System deletemanager.php sql injection

A vulnerability was found in code-projects Online Appointment Booking System 1.0. Impacted is an unknown function of the file /admin/deletemanager.php. The manipulation of the argument managername results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.

Vendor-anisha Source Code & Projects

Product-online_appointment_booking_system Online Appointment Booking System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-14011

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG+0.01%

Published-04 Dec, 2025 | 17:32

Updated-24 Feb, 2026 | 06:16

JIZHICMS Add Display Name Field addcomment.html commentlist sql injection

A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor-jizhicms n/a

Product-jizhicms JIZHICMS

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-13302

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG~0.00%

Published-17 Nov, 2025 | 21:32

Updated-19 Nov, 2025 | 13:05

code-projects Courier Management System add-new-officer.php sql injection

A vulnerability was identified in code-projects Courier Management System 1.0. This affects an unknown part of the file /add-new-officer.php. Such manipulation of the argument ManagerName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.

Vendor-carmelogarcia Source Code & Projects

Product-courier_management_system Courier Management System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-12913

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG~0.00%

Published-08 Nov, 2025 | 20:02

Updated-17 Nov, 2025 | 12:42

code-projects Responsive Hotel Site roomdel.php sql injection

A flaw has been found in code-projects Responsive Hotel Site 1.0. This affects an unknown part of the file /admin/roomdel.php. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

Vendor-Source Code & Projects Fabian Ros

Product-responsive_hotel_site Responsive Hotel Site

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-13210

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG~0.00%

Published-15 Nov, 2025 | 19:02

Updated-18 Nov, 2025 | 20:25

itsourcecode Inventory Management System index.php sql injection

A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=add. Such manipulation of the argument PROMODEL leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

Vendor-ITSourceCode janobe

Product-inventory_management_system Inventory Management System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-13076

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG~0.00%

Published-12 Nov, 2025 | 23:02

Updated-17 Nov, 2025 | 19:17

code-projects Responsive Hotel Site usersetting.php sql injection

A flaw has been found in code-projects Responsive Hotel Site 1.0. The affected element is an unknown function of the file /admin/usersetting.php. Executing manipulation of the argument usname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

Vendor-Source Code & Projects Fabian Ros

Product-responsive_hotel_site Responsive Hotel Site

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-12597

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-5.1||MEDIUM

EPSS-0.03% / 7.43%

7 Day CHG~0.00%

Published-02 Nov, 2025 | 11:32

Updated-05 Nov, 2025 | 16:00

SourceCodester Best House Rental Management System admin_class.php save_category sql injection

A vulnerability was detected in SourceCodester Best House Rental Management System 1.0. Affected by this vulnerability is the function save_category of the file /admin_class.php. Performing manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

Vendor-SourceCodester mayuri_k

Product-best_house_rental_management_system Best House Rental Management System

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2026-8773

Credits

linlinjava litemall Database Setting DbUtil.java load argument injection

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs