CVE-2026-14737
Received Received - Intake

SQL Injection in Hanwang e-Face General Management Platform

Vulnerability report for CVE-2026-14737, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was identified in Hanwang e-Face General Management Platform 6.3.5.4. This impacts an unknown function of the file /sysAuthStr/querySysAuthStr.do. The manipulation of the argument order leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hanwang e-face_general_management_platform 6.3.5.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hanwang e-Face General Management Platform version 6.3.5.4, specifically in an unknown function within the file /sysAuthStr/querySysAuthStr.do.

The issue arises from the manipulation of the argument order, which leads to a SQL injection vulnerability.

An attacker can exploit this vulnerability remotely, and there is a publicly available exploit that might be used to carry out such an attack.

Impact Analysis

The vulnerability allows remote attackers to perform SQL injection attacks, which can lead to unauthorized access or manipulation of the database.

The CVSS scores indicate a high severity with potential impacts on confidentiality, integrity, and availability of the affected system.

  • Confidentiality: Partial loss of data confidentiality.
  • Integrity: Partial loss of data integrity.
  • Availability: Partial loss of system availability.
Compliance Impact

The vulnerability is a SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 that can be exploited remotely. Such vulnerabilities can lead to unauthorized access, data leakage, or data manipulation.

While the specific impact on compliance with standards like GDPR or HIPAA is not detailed, SQL injection vulnerabilities generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.

Therefore, this vulnerability could potentially lead to non-compliance with data protection regulations if exploited, due to possible unauthorized access or alteration of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart