CVE-2026-1059
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feminer | wms | to 9cad1f1b179a98b9547fd003c23b07c7594775fa (exc) |
| github | wms | 1.0 |
| feminer | warehouse_management_system | to 2021-11-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1059 is a critical SQL injection vulnerability in the FeMiner Warehouse Management System (WMS), specifically in the file /src/chkuser.php. The vulnerability arises because the Username parameter is not properly sanitized, allowing attackers to inject malicious SQL code remotely without authentication. This can lead to unauthorized access to the database and manipulation of data. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to bypass authentication, gain unauthorized access to sensitive information such as user credentials, inventory data, and business records, modify or delete data, achieve full system control, and potentially disrupt services. This threatens the confidentiality, integrity, and availability of the system and business continuity. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the file `/src/chkuser.php` with unusual or crafted `username` parameters that may indicate SQL injection attempts. A proof-of-concept uses a crafted HTTP POST request with payload `username=admin*` and `userpwd=1`. Tools like sqlmap can be used to test for this SQL injection by providing a crafted request file. Additionally, Google dorking with queries like `inurl:src/chkuser.php` can help identify vulnerable instances. Example command to test with sqlmap: `sqlmap -r x.txt --dbs` where `x.txt` contains the crafted HTTP request targeting `/src/chkuser.php`. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing secure coding practices such as using prepared statements with parameter binding to prevent SQL injection, applying strict input validation and filtering on the `username` parameter, and minimizing database user permissions by avoiding high-privilege accounts for routine operations. Promptly applying official patches or upgrading to fixed versions is strongly recommended. If no patches are available, consider replacing the affected component with an alternative product. Regular security audits should also be conducted to detect and remediate vulnerabilities. [1, 2, 3]