CVE-2026-1131 MEDIUM

CVE-2026-1131: Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection

Vendor Yonyou
Product KSOA
Weakness CWE-89 · SQLi
Published January 19, 2026
Last update February 23, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
February 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-0564 code-projects Fantasy-Cricket authenticate.php sql injection CVE-2024-49305 WordPress Customer Email Verification for WooCommerce plugin <= 2.8.10 - SQL Injection vulnerability CVE-2022-30998 WordPress Homepage Product Organizer for WooCommerce plugin <= 1.1 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities CVE-2015-10099 CP Appointment Calendar Plugin dex_appointments.php dex_process_ready_to_go_appointment sql injection CVE-2025-26852