CVE-2026-5328
Received Received - Intake
SQL Injection in ProductItemDao's ProductIndexServiceImpl Function

Publication date: 2026-04-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This patch is called 42bcb9463425d1be906c3b290cf29885eb5a2324. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5328
EUVD
EUVD-2026-18214
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shsuishang modulithshop to 829bac71f507e84684c782b9b062b8bf3b5585d6 (inc)
shsuishang modulithshop to 829bac71f507e84684c782b9b062b8bf3b5585d6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection issue found in the shsuishang modulithshop system, specifically in the listItem function of the ProductItemDao interface. It arises from unsafe handling of the sorting parameters `sidx` and `sort` which are directly used in SQL ORDER BY clauses without proper validation or sanitization.

Attackers can manipulate these parameters remotely to inject malicious SQL code, potentially compromising the database. The vulnerability exists because the parameters are interpolated directly into SQL statements using `${}` syntax in MyBatis XML mapper files, allowing injection of arbitrary SQL.

A patch was introduced that sanitizes the `sidx` parameter by removing dangerous characters and validating it against the actual fields of the ProductItem entity, and restricts the `sort` parameter to only 'ASC' or 'DESC'. This prevents attackers from injecting unauthorized SQL commands through these parameters.

Impact Analysis

Exploitation of this SQL injection vulnerability can lead to serious impacts including unauthorized extraction of sensitive data such as product details (SKU, pricing, inventory), user information, system configuration, and administrative credentials.

Attackers may also gain the ability to disclose database structure information, manipulate data (INSERT, UPDATE, DELETE), and potentially achieve full database compromise depending on the database configuration.

The vulnerability can be exploited remotely without authentication via specially crafted requests to the frontend endpoint, making it a significant risk for data breaches and system integrity.

Detection Guidance

This vulnerability can be detected by monitoring and testing the affected GET endpoint `/front/pt/product/listItem` for SQL injection attempts through the `sidx` and `sort` query parameters.

One way to detect exploitation attempts is to send crafted requests that include SQL injection payloads in the `sidx` parameter and observe the responses or errors returned by the system.

An example command using curl to test for the vulnerability is:

  • curl -v "http://<target-host>/front/pt/product/listItem?sidx=item_id,(select updatexml(1,concat(0x7e,@@version_comment,0x7e),1))&sort=desc"

If the response contains database error messages or unusual output, it indicates the presence of SQL injection vulnerability.

Additionally, network intrusion detection systems (NIDS) can be configured to look for suspicious patterns in HTTP requests targeting this endpoint with SQL keywords or special characters in the `sidx` or `sort` parameters.

Mitigation Strategies

Immediate mitigation steps include applying the patch identified by commit 42bcb9463425d1be906c3b290cf29885eb5a2324 which sanitizes and validates the `sidx` parameter in the `listItem` method.

  • Sanitize the `sidx` parameter by removing dangerous characters such as backticks (`).
  • Validate the `sidx` parameter against a whitelist of allowed column names corresponding to the `ProductItem` entity fields.
  • Restrict the `sort` parameter strictly to either 'ASC' or 'DESC' values.
  • Replace unsafe string interpolation (`${}`) in MyBatis XML mappers with parameter binding (`#{}`) to prevent direct injection.
  • Conduct a thorough code review to identify and fix similar unsafe SQL interpolation patterns in other parts of the codebase.

If immediate patching is not possible, consider implementing web application firewall (WAF) rules to block suspicious requests containing SQL injection patterns targeting the vulnerable parameters.

Compliance Impact

The SQL injection vulnerability in the ProductItemDao interface allows unauthorized attackers to extract sensitive data such as product details, user information, system configuration, administrative credentials, and potentially sensitive business and financial data.

Such unauthorized data access and potential data manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to compliance with these standards by exposing sensitive data to attackers and potentially enabling data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart