CVE-2026-2821
Received Received - Intake
SQL Injection in Fujian Smart Platform's XCamera.ashx Allows Remote Exploitation

Publication date: 2026-02-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of the argument ChannelName causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-02-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2821
EUVD
EUVD-2026-7621
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fuzhou_yinda_yunchuang_information_technology_co_ltd smart_integrated_management_platform_system From 7.0 (inc) to 7.5 (inc)
fuzhou_yinda_yunchuang_information_technology_co_ltd smart_integrated_management_platform_system 7.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-2821 is a SQL injection vulnerability found in Fujian Smart Integrated Management Platform System versions up to 7.5. It exists in the file /Module/CRXT/Controller/XCamera.ashx, specifically involving the manipulation of the ChannelName parameter. Improper validation of this parameter allows an attacker to inject malicious SQL code remotely without authentication.

This vulnerability is classified under CWE-89, which means it involves improper neutralization of special elements used in an SQL command, leading to unauthorized database manipulation.


How can this vulnerability impact me? :

Exploitation of this vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database without authentication.

  • Attackers can retrieve, modify, or manipulate sensitive information stored in the database.
  • The confidentiality, integrity, and availability of the affected system can be compromised.

Because the exploit is publicly available and easy to execute, the risk of attack is significant.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection via the ChannelName parameter in the /Module/CRXT/Controller/XCamera.ashx endpoint. Detection can be performed by testing this endpoint for SQL injection vulnerabilities.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit script is publicly available on GitHub, which can be used to verify if the system is vulnerable.'}, {'type': 'paragraph', 'content': 'You can use commands such as curl or similar HTTP request tools to send crafted requests to the vulnerable endpoint, manipulating the ChannelName parameter to check for SQL injection responses.'}, {'type': 'list_item', 'content': 'Example curl command to test for SQL injection: curl -G \'http://<target>/Module/CRXT/Controller/XCamera.ashx\' --data-urlencode \'ChannelName=1\' --data-urlencode "ChannelName=1\' OR \'1\'=\'1"'}, {'type': 'paragraph', 'content': 'Alternatively, use the provided Python proof-of-concept script from the GitHub repository to automate detection.'}] [1, 3, 4]


What immediate steps should I take to mitigate this vulnerability?

Currently, no known countermeasures or mitigations exist for this vulnerability.

It is recommended to consider replacing the affected component or product with an alternative that is not vulnerable.

As an immediate step, restrict access to the vulnerable endpoint by network controls such as firewalls or VPNs to limit exposure.

Monitor logs for suspicious activity targeting the /Module/CRXT/Controller/XCamera.ashx endpoint, especially requests manipulating the ChannelName parameter.

Apply general best practices such as input validation, web application firewalls (WAF), and timely patching when updates become available.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart