CVE-2026-11456: Critical SQL Injection in Chanjet CRM 1.0
Chanjet CRM 1.0 contains a SQL injection vulnerability in its HTTP GET request handler, specifically in the /tools/jxf_dump_systable.php file. An attacker can manipulate the gblOrgID parameter to inject malicious SQL commands, potentially allowing unauthorized access to or modification of database contents. The vulnerability requires no authentication and can be exploited over the network. Exploit code is publicly available, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a SQL injection flaw (CWE-89) resulting from improper input validation (CWE-74) in the HTTP GET request handler component. The gblOrgID parameter is passed unsanitized to SQL queries executed by /tools/jxf_dump_systable.php. The attack vector is network-based with low attack complexity, no privilege requirements, no user interaction needed, and impacts the confidentiality, integrity, and availability of the underlying database. The CVSS 3.1 base score of 7.3 reflects the high severity of unauthenticated remote SQL injection.
Business impact
Successful exploitation could allow attackers to exfiltrate sensitive customer data, organization details, or internal CRM records stored in the database. Beyond data theft, attackers may modify or delete critical business information, potentially disrupting CRM operations and customer relationship workflows. The public availability of exploit code and vendor non-responsiveness elevate the practical risk that this vulnerability will be actively exploited against deployed instances.
Affected systems
Chanjet CRM version 1.0 is confirmed vulnerable. Organizations running this version of Chanjet CRM are at risk. The vendor contact details and any information about whether later versions have remediated this issue are not yet confirmed; verify directly with Chanjet regarding patched versions and update availability.
Exploitability
The vulnerability is highly exploitable: it requires no authentication, no special privileges, no user interaction, and can be triggered remotely via a simple HTTP GET request. Exploit code is publicly available, reducing the technical barrier to weaponization. The low attack complexity means attackers do not need to perform reconnaissance or bypass any significant obstacles beyond basic HTTP request manipulation.
Remediation
Immediate action is required. Organizations should contact Chanjet directly to determine if a patched version is available and obtain guidance on upgrading from version 1.0. Interim mitigation may include restricting network access to the /tools/jxf_dump_systable.php endpoint via firewall rules or web application firewall (WAF) policies, and implementing input validation or parameterized queries at the application level if source code access is available. A complete security audit of other endpoints and parameters in Chanjet CRM should be performed.
Patch guidance
The vendor was contacted early but has not responded publicly with a patch or advisory as of the vulnerability publication date (June 7, 2026). Organizations should contact Chanjet support directly to inquire about available security updates and timeline for remediation. If patches become available, they should be tested in a staging environment before production deployment. Verify patch applicability for your specific Chanjet CRM deployment configuration.
Detection guidance
Monitor HTTP GET requests to /tools/jxf_dump_systable.php for suspicious gblOrgID parameter values, including SQL metacharacters (single quotes, double dashes, UNION keywords, etc.). Web application firewalls (WAF) should be configured with SQL injection detection rules. Review web server and application logs for any requests to this endpoint, paying special attention to unusual parameter encoding or character sequences. Database query logs may show evidence of injected SQL statements. Baseline traffic patterns and implement alerts for deviation.
Why prioritize this
This vulnerability merits high priority due to the combination of unauthenticated network-accessible SQL injection, public exploit availability, no required user interaction, and vendor non-responsiveness. SQL injection on a CRM system threatens customer data confidentiality, business continuity, and regulatory compliance. The low attack complexity and high exploitability make this an attractive target for opportunistic and targeted attacks.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects the severity of unauthenticated, remotely exploitable SQL injection with impacts to confidentiality, integrity, and availability. The score does not account for the aggravating factor of publicly available exploit code or vendor non-response, both of which increase practical risk beyond the base score. Organizations should treat this as a critical operational security issue.
Frequently asked questions
Does Chanjet have a public advisory or patch for CVE-2026-11456?
As of the vulnerability publication date, Chanjet did not respond to early vendor contact and no public advisory or patch has been released. Contact Chanjet support directly to inquire about remediation status and available updates. Check their security page regularly for guidance.
Can I mitigate this vulnerability without upgrading?
Temporary mitigations include blocking or restricting access to /tools/jxf_dump_systable.php using a firewall or WAF, implementing strict input validation for the gblOrgID parameter, and using parameterized SQL queries. However, these are interim measures. A permanent fix requires patching or upgrading when the vendor provides a remediation.
How can I determine if my Chanjet CRM instance is vulnerable?
If you are running Chanjet CRM version 1.0, your instance is vulnerable. Check your Chanjet CRM version in the application settings or vendor documentation. If you are on a later version, verify with Chanjet that the fix is included. You may also attempt to access /tools/jxf_dump_systable.php from a controlled test environment to confirm the endpoint exists.
What data could an attacker access or modify?
Attackers could potentially access any data stored in the Chanjet CRM database, including customer information, organization details, deal records, communications, and internal company data. Depending on database permissions, they may also modify or delete records. A security audit of your CRM database should be performed to identify sensitive data at risk.
This analysis is provided for informational purposes based on available vulnerability data as of the publication date. No patch from Chanjet is currently confirmed available; verify directly with the vendor regarding patched versions and support timelines. SEC.co does not provide legal, compliance, or technical support services. Organizations should validate all information against their own threat models, inventory, and the vendor's official advisories before taking remediation action. This vulnerability assessment does not constitute a guarantee of risk level for any specific deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login