CVE-2026-3969
SQL Injection in FeMiner WMS Basic Organizational Module
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feminer | enterprise_warehouse_management_system | 1.0 |
| feminer | wms | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3969 is a critical SQL injection vulnerability found in FeMiner's Warehouse Management System (WMS) version 1.0, specifically in the Basic Organizational Structure module within the file /wms-master/src/basic/depart/depart_add_bg.php."}, {'type': 'paragraph', 'content': "The vulnerability arises because the 'Name' argument is improperly handled, allowing attackers to inject malicious SQL code. This happens due to lack of input validation, absence of special character escaping, and failure to use parameterized queries."}, {'type': 'paragraph', 'content': "An attacker can remotely exploit this vulnerability without authentication by manipulating the 'Name' parameter, leading to unauthorized modification of SQL queries."}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can have severe impacts including unauthorized access to the database, extraction of sensitive information, modification or deletion of data, and disruption of services.
- Attackers can illegally access and exfiltrate sensitive data such as department structures, employee identities, permission configurations, and core business data.
- They can tamper with organizational data by creating fake departments, altering affiliations, and elevating permissions of ordinary accounts.
- Attackers may escalate database privileges, potentially gaining full administrative control over the database server.
These impacts compromise confidentiality, integrity, and availability of the system, leading to serious security incidents and business continuity risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to serious security incidents such as leakage of critical sensitive information and violations of data compliance.
Exposure of sensitive personal and business data due to unauthorized access and tampering can result in non-compliance with regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information.
The disruption and unauthorized modification of organizational data may also violate internal controls and regulatory requirements for data integrity and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable parameter "Name" in the URL path `/wms-master/src/basic/depart/depart_add_bg.php` for SQL injection flaws.'}, {'type': 'paragraph', 'content': 'One method to detect the vulnerability is to use automated SQL injection testing tools such as sqlmap targeting the POST parameter "name" at the vulnerable URL.'}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://127.0.0.1/wms-master/src/basic/depart/depart_add_bg.php" --data="name=example" --risk=3 --level=5'}, {'type': 'list_item', 'content': 'Attackers can also locate vulnerable targets using Google dorking with queries like: inurl:wms-master/src/basic/depart/depart_add_bg.php'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing secure coding practices to prevent SQL injection.
- Use prepared statements with parameter binding to separate SQL code from user input.
- Implement strict input validation and filtering to ensure user data conforms to expected formats.
- Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts like root or admin for routine operations.
- Conduct regular security audits of code and systems to detect and address vulnerabilities promptly.
Since no official patch or mitigation has been published by the vendor, it is suggested to replace the affected component or product if possible.