CVE-2026-13569

Received Received - Intake

SQL Injection in EyouCMS

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description

A security vulnerability has been detected in weng-xianhu EyouCMS up to 1.7.1. This issue affects some unknown processing of the file /index.php of the component API. Such manipulation of the argument click_like leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-13569

EUVD

EUVD-2026-40089

Affected Vendors & Products

Vendor	Product	Version / Range
weng-xianhu	eyoucms	to 1.7.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in EyouCMS up to version 1.7.1 allows remote attackers to manipulate database queries via the click_like parameter. This can lead to unauthorized access or modification of sensitive data.

Such unauthorized access or data manipulation could potentially result in non-compliance with data protection regulations like GDPR or HIPAA, which require the protection of personal and sensitive information against unauthorized access or breaches.

However, the provided information does not explicitly detail the impact on compliance with these standards or any mitigation measures.

Executive Summary

This vulnerability is a SQL injection issue found in EyouCMS version 1.7.1. It occurs due to improper processing of the 'click_like' parameter in the /index.php API component. An attacker can manipulate this parameter to inject malicious SQL commands, which can be executed remotely by crafting a specific URL.

The vulnerability allows attackers to execute arbitrary SQL queries on the backend database, potentially exposing sensitive data or altering the database.

Impact Analysis

This SQL injection vulnerability can allow an attacker to execute unauthorized SQL commands on your database remotely. This can lead to data leakage, data modification, or even complete compromise of the database.

Such an attack could result in exposure of sensitive information, disruption of service, or unauthorized changes to your website's data.

Detection Guidance

This SQL injection vulnerability can be detected by testing the affected endpoint with crafted payloads targeting the click_like parameter in the /index.php API component.

One way to detect the vulnerability is to send a specially crafted HTTP request to the vulnerable URL and observe if the response indicates SQL injection behavior.

Use curl or similar tools to send a request like: curl "http://<target>/index.php?s=/api/v1.Api/get_ask_details&ask_id=1&click_like=desc,extractvalue(1,concat(0x7e,database()))"
If the response contains database error messages or unusual output, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Since no official fix or patch has been released yet, immediate mitigation steps include restricting access to the vulnerable API endpoint and monitoring for suspicious requests.

You should implement web application firewall (WAF) rules to block requests containing suspicious SQL injection payloads targeting the click_like parameter.

Additionally, consider disabling or limiting the functionality of the affected API endpoint until a patch is available.

Regularly monitor logs for unusual activity and update the CMS to a patched version once it is released.

Hi! I’m here to help you understand CVE-2026-13569. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in EyouCMS

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart