CVE-2026-7060: High-Severity SQL Injection in liyupi yu-picture
The National Vulnerability Database has detailed CVE-2026-7060, a high-severity SQL injection vulnerability (CVSS 7.3) affecting liyupi yu-picture up to commit a053632c41340152bf75b66b3c543d129123d8ec. This flaw resides within the PageRequest function of the PictureServiceImpl.java file, specifically impacting the MyBatis-Plus component.
Attackers can remotely exploit this by manipulating the sortField argument, leading to unauthorized data access or modification. The exploit for this vulnerability has been publicly disclosed, increasing the immediate risk for unpatched systems. Compounding the issue, the project lacks versioning, making it difficult for defenders to pinpoint affected releases.
Despite early notification via a pull request, the project maintainers have yet to address the vulnerability. This inaction leaves users exposed to a critical remote SQL injection, a perennial favorite for attackers seeking initial access or data exfiltration. Applying a patch is strongly advised, though its availability hinges on the project’s response.
What This Means For You
- If your organization uses liyupi yu-picture, you need to assess your exposure to CVE-2026-7060 immediately. SQL injection is not a theoretical threat; it's a direct path to database compromise. Given the public exploit and the lack of a vendor patch, your attack surface is wide open. Prioritize finding and mitigating any instances of this software in your environment, even if it means isolating or disabling the service until a fix is available.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7060: SQL Injection in liyupi yu-picture sortField parameter
title: CVE-2026-7060: SQL Injection in liyupi yu-picture sortField parameter
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7060 by looking for SQL injection patterns within the 'sortField' parameter of the '/api/pictures/list' endpoint in the liyupi yu-picture application. This rule specifically targets the known vulnerable function PageRequest in PictureServiceImpl.java.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7060/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/pictures/list'
cs-uri-query|contains:
- 'sortField'
cs-uri-query|contains:
- 'UNION'
cs-uri-query|contains:
- 'SELECT'
cs-uri-query|contains:
- 'FROM'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7060 | SQLi | liyupi yu-picture up to a053632c41340152bf75b66b3c543d129123d8ec |
| CVE-2026-7060 | SQLi | Vulnerable function: PageRequest in yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java |
| CVE-2026-7060 | SQLi | Vulnerable component: MyBatis-Plus |
| CVE-2026-7060 | SQLi | Manipulation of argument: sortField |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 01:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
itsourcecode Construction Management System SQLi: CVE-2026-7073
CVE-2026-7073 — A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /execute.php. This manipulation of...
CVE-2026-7072: CodePanda Source Canteen Management System SQLi
CVE-2026-7072 — A vulnerability was detected in CodePanda Source canteen_management_system 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation...
CVE-2026-7071 — CodeAstro Online Job Portal Vulnerability
CVE-2026-7071 — A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file...