Vulnerability-Lookup

CNVD-2026-21568

Vulnerability from cnvd - Published: 2026-05-25

Title

EyouCMS common.php文件GetSortData函数sort_asc参数SQL注入漏洞

Description

EyouCMS是一款企业内容管理系统，主要用于企业网站内容的发布与管理。 EyouCMS存在SQL注入漏洞，该漏洞源于application/common.php文件中的GetSortData函数未能正确验证参数sort_asc，攻击者可利用该漏洞通过构造恶意输入实现SQL注入攻击。

Severity

高

Formal description

厂商尚未发布漏洞修复程序，请及时关注更新： https://vuldb.com/vuln/360114

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-7389

Impacted products

Name
EyouCMS EyouCMS <=1.7.9

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-7389",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-7389"
    }
  },
  "description": "EyouCMS\u662f\u4e00\u6b3e\u4f01\u4e1a\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff0c\u4e3b\u8981\u7528\u4e8e\u4f01\u4e1a\u7f51\u7ad9\u5185\u5bb9\u7684\u53d1\u5e03\u4e0e\u7ba1\u7406\u3002\n\nEyouCMS\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eapplication/common.php\u6587\u4ef6\u4e2d\u7684GetSortData\u51fd\u6570\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u53c2\u6570sort_asc\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6784\u9020\u6076\u610f\u8f93\u5165\u5b9e\u73b0SQL\u6ce8\u5165\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://vuldb.com/vuln/360114",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-21568",
  "openTime": "2026-05-25",
  "products": {
    "product": "EyouCMS EyouCMS \u003c=1.7.9"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-7389",
  "serverity": "\u9ad8",
  "submitTime": "2026-04-30",
  "title": "EyouCMS common.php\u6587\u4ef6GetSortData\u51fd\u6570sort_asc\u53c2\u6570SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2026-7389 (GCVE-0-2026-7389)

Vulnerability from cvelistv5 – Published: 2026-04-29 15:30 – Updated: 2026-04-29 16:19

Title

EyouCMS common.php GetSortData sql injection

Summary

A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-89 - SQL Injection
CWE-74 - Injection

Assigner

VulDB

References

4 references

URL	Tags
https://vuldb.com/vuln/360114	vdb-entrytechnical-description
https://vuldb.com/vuln/360114/cti	signaturepermissions-required
https://vuldb.com/submit/803103	third-party-advisory
https://gitee.com/weng_xianhu/eyoucms/issues/IILFPE	exploitissue-tracking

Impacted products

1 product

Vendor	Product	Version
n/a	EyouCMS	Affected: 1.7.0 Affected: 1.7.1 Affected: 1.7.2 Affected: 1.7.3 Affected: 1.7.4 Affected: 1.7.5 Affected: 1.7.6 Affected: 1.7.7 Affected: 1.7.8 Affected: 1.7.9 cpe:2.3:a:eyoucms:eyoucms::::::::

Credits

anch0r (VulDB User) VulDB CNA Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7389",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T16:19:32.970291Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T16:19:40.411Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:*"
          ],
          "product": "EyouCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.7.0"
            },
            {
              "status": "affected",
              "version": "1.7.1"
            },
            {
              "status": "affected",
              "version": "1.7.2"
            },
            {
              "status": "affected",
              "version": "1.7.3"
            },
            {
              "status": "affected",
              "version": "1.7.4"
            },
            {
              "status": "affected",
              "version": "1.7.5"
            },
            {
              "status": "affected",
              "version": "1.7.6"
            },
            {
              "status": "affected",
              "version": "1.7.7"
            },
            {
              "status": "affected",
              "version": "1.7.8"
            },
            {
              "status": "affected",
              "version": "1.7.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "anch0r (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T15:30:18.641Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-360114 | EyouCMS common.php GetSortData sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/360114"
        },
        {
          "name": "VDB-360114 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/360114/cti"
        },
        {
          "name": "Submit #803103 | eyoucms EyouCMS \u003c=1.7.9 SQL Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/803103"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://gitee.com/weng_xianhu/eyoucms/issues/IILFPE"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-04-29T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-04-29T11:40:16.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "EyouCMS common.php GetSortData sql injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-7389",
    "datePublished": "2026-04-29T15:30:18.641Z",
    "dateReserved": "2026-04-29T09:35:05.397Z",
    "dateUpdated": "2026-04-29T16:19:40.411Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-21568

CVE-2026-7389 (GCVE-0-2026-7389)

Tags

Sightings

Nomenclature