CVE-2026-11456

Deferred Deferred - Pending Action

SQL Injection in Chanjet CRM via gblOrgID Parameter

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description

A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-07

Last Modified

2026-06-07

Generated

2026-06-28

AI Q&A

2026-06-07

EPSS Evaluated

2026-06-26

NVD

CVE-2026-11456

EUVD

EUVD-2026-34986

Affected Vendors & Products

Vendor	Product	Version / Range
chanjet	crm	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

Chanjet CRM version 1.0 contains a critical SQL injection vulnerability in the /tools/jxf_dump_systable.php component. The vulnerability arises because the "gblOrgID" parameter is directly concatenated into SQL queries without proper validation or parameterization.

This flaw allows unauthenticated attackers to execute arbitrary SQL commands remotely via a simple HTTP GET request, potentially leading to unauthorized access to sensitive data, privilege escalation, remote code execution on the database server, and complete compromise of the CRM system.

Impact Analysis

Exploitation of this vulnerability can have severe impacts including unauthorized access to sensitive data stored within the CRM system.

Attackers may escalate privileges, execute remote code on the database server, and potentially take full control over the CRM system.

Since the attack requires no authentication and can be launched remotely, it poses a significant security risk to organizations using Chanjet CRM 1.0.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the endpoint /tools/jxf_dump_systable.php that include the gblOrgID parameter. Since exploitation involves SQL injection via this parameter, suspicious or malformed inputs in gblOrgID may indicate an attempt to exploit the vulnerability.

You can use network monitoring tools or web server logs to identify such requests. For example, using command line tools like curl or wget to test the endpoint with crafted inputs can help verify if the system is vulnerable.

Example curl command to test for SQL injection: curl "http://target-site/tools/jxf_dump_systable.php?gblOrgID=1' OR '1'='1"
Use grep on web server logs to find requests to the vulnerable endpoint: grep "/tools/jxf_dump_systable.php" /var/log/apache2/access.log
Monitor for unusual database errors or anomalies that may result from SQL injection attempts.

Mitigation Strategies

Immediate mitigation steps include implementing parameterized queries and strict input validation on the gblOrgID parameter to prevent SQL injection.

Additional recommended actions are to apply the principle of least privilege to database accounts, conduct code security audits, deploy web application firewalls to block malicious requests, and perform regular security testing.

Compliance Impact

The SQL injection vulnerability in Chanjet CRM 1.0 allows unauthorized access to sensitive data and potential complete compromise of the CRM system. Such unauthorized data access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Failure to properly secure the system against this vulnerability could result in exposure of personal data, violating data protection requirements and potentially leading to legal and financial penalties under these regulations.

Hi! I’m here to help you understand CVE-2026-11456. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in Chanjet CRM via gblOrgID Parameter

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart