CVE-2026-3969
📋 TL;DR
This CVE describes a SQL injection vulnerability in FeMiner wms up to version 1.0, specifically in the Basic Organizational Structure Module. Attackers can remotely exploit this by manipulating the 'Name' parameter in the depart_add_bg.php file to execute arbitrary SQL commands. All users running FeMiner wms version 1.0 or earlier are affected.
💻 Affected Systems
- FeMiner wms
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access, data modification, and potential authentication bypass leading to unauthorized administrative access.
If Mitigated
Limited impact with proper input validation and database permission restrictions, potentially only allowing data viewing without modification.
🎯 Exploit Status
The exploit is publicly available and can be executed remotely without authentication. SQL injection vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor did not respond to disclosure. Consider workarounds or alternative software.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the 'Name' parameter to reject SQL special characters
Modify /wms-master/src/basic/depart/depart_add_bg.php to sanitize user input
Web Application Firewall
allDeploy WAF with SQL injection protection rules
🧯 If You Can't Patch
- Isolate the FeMiner wms system from the internet and restrict network access
- Implement database user with minimal permissions (read-only if possible) and enable database logging
🔍 How to Verify
Check if Vulnerable:
Check if FeMiner wms version is 1.0 or earlier and if the file /wms-master/src/basic/depart/depart_add_bg.php existsCheck Version:
Check application configuration files or documentation for version informationVerify Fix Applied:
Test the 'Name' parameter with SQL injection payloads to confirm proper input validation📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Unexpected database schema changes
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) to depart_add_bg.php
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND uri="*depart_add_bg.php*" AND (request="*SELECT*" OR request="*UNION*" OR request="*OR 1=1*")