Jinher OA 1.0 SQL Injection (CVE-2026-7670) Exposes Data Remotely

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-74cwe-89
Jinher OA 1.0 SQL Injection (CVE-2026-7670) Exposes Data Remotely

The National Vulnerability Database (NVD) reports a critical SQL injection vulnerability, CVE-2026-7670, in Jinher OA 1.0. This flaw, found in an unspecified function within the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, allows for remote exploitation by manipulating the DeptIDList argument. With a CVSS score of 7.3 (High), this vulnerability poses a significant risk due to its low attack complexity and lack of required privileges.

The attacker’s calculus here is straightforward: remote code execution (RCE) or data exfiltration. The NVD notes that the exploit has been publicly disclosed, meaning opportunistic attackers are already weaponizing it. The lack of vendor response further exacerbates the risk, leaving organizations exposed without an official patch or mitigation guidance. This isn’t theoretical; this is a direct path to compromise for any exposed Jinher OA 1.0 instance.

Defenders need to treat this as an active threat. Given the remote exploitability and public disclosure, assume compromise attempts are underway. Organizations using Jinher OA 1.0 must prioritize immediate identification of internet-facing instances and implement network-level segmentation or access restrictions to mitigate the threat. Without a patch, limiting exposure is the only viable short-term defense.

What This Means For You

  • If your organization uses Jinher OA 1.0, you are exposed to remote SQL injection via CVE-2026-7670. Immediately identify all instances of Jinher OA 1.0 within your environment, especially those accessible from the internet. Implement network access controls to restrict access to these systems to only trusted internal networks or VPNs. Audit logs for suspicious activity related to `/C6/JHSoft.Web.PlanSummarize/UserSel.aspx` and `DeptIDList` manipulation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7670 - Jinher OA 1.0 UserSel.aspx SQL Injection

Sigma YAML — free preview 
title: CVE-2026-7670 - Jinher OA 1.0 UserSel.aspx SQL Injection
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit the SQL injection vulnerability in Jinher OA 1.0 by targeting the UserSel.aspx page and manipulating the DeptIDList parameter. This rule looks for the specific file path and common SQL injection keywords within the query string, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7670/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/C6/JHSoft.Web.PlanSummarize/UserSel.aspx'
      cs-uri-query|contains:
          - 'DeptIDList='
      cs-uri-query|contains:
          - ' OR '
      cs-uri-query|contains:
          - ' = '
      cs-uri-query|contains:
          - ' UNION '
      cs-uri-query|contains:
          - ' SELECT '
      cs-uri-query|contains:
          - ' FROM '
      condition: uri AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7670 SQLi Jinher OA 1.0
CVE-2026-7670 SQLi /C6/JHSoft.Web.PlanSummarize/UserSel.aspx
CVE-2026-7670 SQLi argument DeptIDList

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 03, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7672 — Youlaitech Youlai-Boot SQL Injection

CVE-2026-7672 — A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7669 — Sgl-Project SGLang Insecure Deserialization

CVE-2026-7669 — A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace...

vulnerabilityCVEmedium-severityinsecure-deserializationcwe-20cwe-502
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 3 IOCs /⚙ 2 Sigma

MikroTik RouterOS 6.49.8 SCEP Endpoint Vulnerability (CVE-2026-7668)

CVE-2026-7668 — A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint....

vulnerabilityCVEhigh-severityout-of-bounds-1cwe-119cwe-125
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 1 Sigma