CVE-2026-8772
Received Received - Intake
SQL Injection in Litemall Admin Endpoint

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: VulDB

Description
A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8772
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linlinjava litemall to 1.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection issue found in linlinjava Litemall versions up to 1.8.0, specifically affecting multiple admin endpoints. It occurs because the application improperly handles user input for sorting operations by directly interpolating the orderByClause parameter into SQL queries without validation or parameterization.

The root cause is that HTTP parameters for sorting (such as sort and order) are concatenated directly in service classes and passed to SQL queries, allowing attackers to inject malicious SQL code.

This can be exploited remotely using various SQL injection techniques including boolean-based blind, error-based, and time-based injections, potentially allowing attackers to extract sensitive data like database contents, admin password hashes, and confirm database user privileges.

The vulnerability affects multiple admin controllers and is tracked under CWE-89 (SQL Injection). The recommended fix is to replace direct user input with strict whitelisting or validation of sort columns before including them in SQL queries.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information, such as extracting full database contents and admin credentials.

Attackers can exploit the SQL injection to perform data theft, manipulate or delete data, and enumerate database structure, which can compromise the integrity and confidentiality of the system.

Since the attack can be executed remotely and affects multiple admin endpoints, it increases the risk of widespread exploitation and potential full system compromise.

Detection Guidance

This vulnerability can be detected by testing the affected Litemall admin endpoints for SQL injection via the orderByClause parameter, specifically by manipulating the sort and order HTTP parameters.

Proof-of-concept techniques include boolean-based blind SQL injection, error-based injection, and time-based injection.

  • Example boolean-based test: manipulate the sort parameter with a payload like IF(1=1,id,name) to observe different responses.
  • Example error-based test: use extractvalue() function in the sort parameter to try to leak database information such as MySQL version or admin password hashes.
  • Example time-based test: inject a delay-inducing payload to confirm the database user identity (e.g., root) by measuring response times.

Detection can be performed by sending crafted HTTP requests to admin controllers like AdminAftersaleController or AdminCommentController with manipulated sort/order parameters and analyzing the responses for SQL injection behavior.

Mitigation Strategies

Immediate mitigation steps include preventing the injection of malicious input into the orderByClause parameter by implementing strict input validation and whitelisting.

Specifically, replace direct user input in sorting parameters with a whitelist of allowed column names or use annotations like @Sort to enforce safe sorting.

Avoid using string interpolation (${orderByClause}) in MyBatis Mapper XML files and instead use parameterized queries to prevent direct SQL execution.

Additionally, monitor and restrict access to affected admin endpoints and consider applying any available patches or updates from the vendor once they respond.

Compliance Impact

The SQL injection vulnerability in linlinjava litemall up to version 1.8.0 allows attackers to extract full database contents, including sensitive data such as admin password hashes. This exposure of sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access.

Because the vulnerability enables remote exploitation and data leakage, affected organizations may fail to meet compliance requirements related to data confidentiality, integrity, and security controls. This could result in regulatory penalties, legal consequences, and loss of trust.

Mitigation involves strict input validation and whitelisting to prevent unauthorized SQL execution, which is essential to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart