CVE-2026-11412: SQL Injection in Jinher OA C6 GetFormSn.aspx
Jinher OA C6 contains a SQL injection vulnerability in a web component that processes form identifiers. An attacker with login credentials can manipulate the queryID parameter in GetFormSyn.aspx to execute arbitrary database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is network-accessible and exploit code has been publicly released, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11412 is a SQL injection flaw (CWE-89) in Jinher OA C6's /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx endpoint. The vulnerability stems from insufficient input validation on the queryID parameter, allowing authenticated users to inject SQL commands directly into database queries. This violates secure coding practices for parameterized queries and represents a classic improper neutralization of special elements (CWE-74). The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects a network-accessible attack requiring valid credentials, with low complexity, no user interaction, and impact limited to confidentiality, integrity, and availability within the affected system.
Business impact
This vulnerability enables authenticated attackers to breach database confidentiality and integrity. In a typical Jinher OA deployment, this could lead to unauthorized access to sensitive organizational documents, customer records, or internal communications stored in the application database. Attackers could also modify or delete records, potentially disrupting business processes or causing compliance violations. The public availability of exploit code elevates the practical risk significantly.
Affected systems
Jinher OA C6 deployments are affected. The vulnerability requires valid user credentials to exploit, limiting the attack surface to internal users or compromised accounts. Organizations using Jinher OA C6 should inventory affected instances and assess user access controls.
Exploitability
The vulnerability is exploitable with low effort. An authenticated attacker needs network access and valid login credentials; no complex techniques or user interaction are required. The public availability of working exploit code means skilled attackers and potentially less-sophisticated threat actors can weaponize this vulnerability. While authentication is required, compromised accounts, insider threats, or lateral movement from other vulnerabilities could provide the initial access needed.
Remediation
Contact Jinher immediately to request a security patch or workaround. Given the vendor's non-responsiveness documented in the CVE record, consider whether an alternative product or manual compensating controls (such as strict database access restrictions, query monitoring, and application firewall rules) are necessary. Input validation and parameterized query enforcement should be standard practice in any remediation offered by the vendor.
Patch guidance
Verify the latest vendor advisory from Jinher for patch availability and version numbers. Apply patches immediately to all affected C6 instances. Until a patch is available, implement network segmentation to restrict access to the vulnerable endpoint, enforce strong authentication policies, and monitor database query logs for suspicious SQL patterns. Consider deploying a Web Application Firewall (WAF) configured to block SQL injection attempts on the /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx endpoint.
Detection guidance
Monitor application logs for SQL error messages or unusual database queries originating from the GetFormSn.aspx endpoint. Analyze HTTP request logs for suspicious queryID parameter values containing SQL metacharacters (quotes, dashes, semicolons, or SQL keywords). Enable database audit logging to capture any queries executed by the OA application user that deviate from normal patterns. Hunt for POST/GET requests to the vulnerable path with encoded or obfuscated payloads.
Why prioritize this
This vulnerability merits high-priority remediation due to the combination of public exploit availability, low attack complexity, and direct database access impact. Although authentication is required, the prevalence of compromised credentials and insider threats means the practical risk is substantial. Immediate patching or compensating controls are essential.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) reflects network accessibility with low attack complexity and authenticated access requirements. However, the CVSS baseline does not account for the public availability of exploit code and vendor non-responsiveness, both of which elevate practical risk. Organizations should treat this as a higher priority than the base CVSS suggests.
Frequently asked questions
Does this vulnerability require me to have valid Jinher OA C6 login credentials?
Yes. The CVSS vector specifies PR:L (requires low privilege), meaning an attacker needs valid user credentials. This limits the threat to internal users, compromised accounts, or attackers who have gained initial access via other means.
If Jinher has not responded to the vendor disclosure, what should I do?
Contact Jinher's security team directly through multiple channels (support, security@, etc.) and document your outreach. In parallel, implement compensating controls: network segmentation, WAF rules, and strict database access policies. Evaluate alternative products if the vendor continues to be unresponsive and your risk tolerance is low.
Can this vulnerability be exploited remotely without any user action?
It can be exploited remotely if you have valid credentials, but no user interaction (such as clicking a link) is required beyond the attacker's initial login. If you suspect account compromise, reset passwords and review access logs immediately.
What should I prioritize: patching or detection?
Implement detection and compensating controls immediately while you await a patch from Jinher. If a patch becomes available, apply it without delay. For high-risk systems, network segmentation or temporary service disabling may be warranted until remediation is complete.
This analysis is based on the CVE record published on 2026-06-06 and last modified 2026-06-17. Patch availability, vendor responsiveness, and affected version ranges should be verified directly with Jinher's official security advisories. No exploit code or proof-of-concept steps are provided. Organizations should test all security patches in a non-production environment before deployment. This information is provided for informational purposes and should inform, not replace, your organization's risk assessment and incident response procedures. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface