CVE-2026-1546 – This SQL injection vulnerability in jishenghua ... (How to Fix)

Q: What is the severity of CVE-2026-1546?

CVE-2026-1546 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in jishenghua jshERP allows remote attackers to execute arbitrary SQL commands through the barCodes parameter in the getBillItemByParam function. Organizations using jshERP versions up to 3.6 are affected, potentially exposing sensitive database information.

📋 TL;DR

This SQL injection vulnerability in jishenghua jshERP allows remote attackers to execute arbitrary SQL commands through the barCodes parameter in the getBillItemByParam function. Organizations using jshERP versions up to 3.6 are affected, potentially exposing sensitive database information.

💻 Affected Systems

Products:

jishenghua jshERP

Versions: Up to and including version 3.6

Operating Systems: All platforms running jshERP

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Jsherp by Jishenghua

View all CVEs affecting Jsherp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive business data, inventory information, and potential privilege escalation within the ERP system.

🟢

If Mitigated

Limited information disclosure if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed in GitHub issues, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to vulnerability report. Consider migrating to alternative ERP solutions or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the barCodes parameter to reject SQL injection attempts

Modify /jshERP-boot/depotItem/importItemExcel to validate barCodes parameter against allowed patterns

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in requests to the vulnerable endpoint

Configure WAF to block requests containing SQL keywords like UNION, SELECT, INSERT, DELETE, DROP, etc. in the barCodes parameter

🧯 If You Can't Patch

Isolate the jshERP system from internet access and restrict internal network access
Implement database-level protections including strict user permissions and query logging

🔍 How to Verify

Check if Vulnerable:

Check if jshERP version is 3.6 or earlier by examining application version files or database schema version

Check Version:

Check application.properties or similar configuration files for version information

Verify Fix Applied:

Test the /jshERP-boot/depotItem/importItemExcel endpoint with SQL injection payloads in barCodes parameter to confirm they are rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by SQL error messages
Requests to /jshERP-boot/depotItem/importItemExcel with suspicious barCodes parameters

Network Indicators:

Unusual outbound database connections from jshERP server
Large data transfers from jshERP database

SIEM Query:

source="jshERP" AND (url="/jshERP-boot/depotItem/importItemExcel" AND (param="barCodes" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--"))

📊 Metadata

CVE ID: CVE-2026-1546

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: January 28, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/jishenghua/jshERP/ Product
https://github.com/jishenghua/jshERP/issues/145 Exploit,Issue Tracking,Vendor Advisory
https://github.com/jishenghua/jshERP/issues/145#issue-3816930151 Exploit,Issue Tracking,Vendor Advisory
https://vuldb.com/?ctiid.343230 Permissions Required,VDB Entry
https://vuldb.com/?id.343230 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.739688 Third Party Advisory,VDB Entry
https://github.com/jishenghua/jshERP/issues/145 Exploit,Issue Tracking,Vendor Advisory
https://github.com/jishenghua/jshERP/issues/145#issue-3816930151 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1546, you might also want to check these: