CVE-2026-8772
SQL Injection in Litemall Admin Endpoint
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linlinjava | litemall | to 1.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in linlinjava litemall up to version 1.8.0 allows attackers to extract full database contents, including sensitive data such as admin password hashes. This exposure of sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access.
Because the vulnerability enables remote exploitation and data leakage, affected organizations may fail to meet compliance requirements related to data confidentiality, integrity, and security controls. This could result in regulatory penalties, legal consequences, and loss of trust.
Mitigation involves strict input validation and whitelisting to prevent unauthorized SQL execution, which is essential to maintain compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in linlinjava Litemall versions up to 1.8.0, specifically affecting multiple admin endpoints. It occurs because the application improperly handles user input for sorting operations by directly interpolating the orderByClause parameter into SQL queries without validation or parameterization.
The root cause is that HTTP parameters for sorting (such as sort and order) are concatenated directly in service classes and passed to SQL queries, allowing attackers to inject malicious SQL code.
This can be exploited remotely using various SQL injection techniques including boolean-based blind, error-based, and time-based injections, potentially allowing attackers to extract sensitive data like database contents, admin password hashes, and confirm database user privileges.
The vulnerability affects multiple admin controllers and is tracked under CWE-89 (SQL Injection). The recommended fix is to replace direct user input with strict whitelisting or validation of sort columns before including them in SQL queries.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive database information, such as extracting full database contents and admin credentials.
Attackers can exploit the SQL injection to perform data theft, manipulate or delete data, and enumerate database structure, which can compromise the integrity and confidentiality of the system.
Since the attack can be executed remotely and affects multiple admin endpoints, it increases the risk of widespread exploitation and potential full system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected Litemall admin endpoints for SQL injection via the orderByClause parameter, specifically by manipulating the sort and order HTTP parameters.
Proof-of-concept techniques include boolean-based blind SQL injection, error-based injection, and time-based injection.
- Example boolean-based test: manipulate the sort parameter with a payload like IF(1=1,id,name) to observe different responses.
- Example error-based test: use extractvalue() function in the sort parameter to try to leak database information such as MySQL version or admin password hashes.
- Example time-based test: inject a delay-inducing payload to confirm the database user identity (e.g., root) by measuring response times.
Detection can be performed by sending crafted HTTP requests to admin controllers like AdminAftersaleController or AdminCommentController with manipulated sort/order parameters and analyzing the responses for SQL injection behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the injection of malicious input into the orderByClause parameter by implementing strict input validation and whitelisting.
Specifically, replace direct user input in sorting parameters with a whitelist of allowed column names or use annotations like @Sort to enforce safe sorting.
Avoid using string interpolation (${orderByClause}) in MyBatis Mapper XML files and instead use parameterized queries to prevent direct SQL execution.
Additionally, monitor and restrict access to affected admin endpoints and consider applying any available patches or updates from the vendor once they respond.