Qihang WMS SQLi via datascope param in SysDeptMapper.xml: CVE-2026-37428 May 2026

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII).

Vulnerability Analysis

CVE-2026-37428 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-37428 has been classified to as a SQL Injection vulnerability or weakness.

Qihang WMS SQLi via datascope param in SysDeptMapper.xmlCVE-2026-37428 Published on May 13, 2026

Vulnerability Analysis

Weakness Type

What is a SQL Injection Vulnerability?

Qihang WMS SQLi via datascope param in SysDeptMapper.xml
CVE-2026-37428 Published on May 13, 2026