CVE-2026-1120 Overview
CVE-2026-1120 is a SQL injection vulnerability in Yonyou KSOA 9.0. The flaw resides in an unknown function within /worksheet/del_work.jsp, part of the HTTP GET parameter handler. Attackers manipulate the ID parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is remotely exploitable without authentication or user interaction. Public disclosure of the exploit details has occurred, and the vendor did not respond to early notification. The issue is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements in Output).
Critical Impact
Unauthenticated remote attackers can inject SQL through the ID GET parameter, potentially exposing or modifying data stored in the KSOA backend database.
Affected Products
- Yonyou KSOA 9.0
- Component: /worksheet/del_work.jsp
- Component: HTTP GET Parameter Handler
Discovery Timeline
- 2026-01-18 - CVE-2026-1120 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-1120
Vulnerability Analysis
The vulnerability exists in the del_work.jsp endpoint inside the worksheet module of Yonyou KSOA 9.0. The endpoint accepts an ID parameter through an HTTP GET request and forwards the value into a SQL statement without sanitization or parameterization. An attacker controls a database query fragment by supplying crafted input in the ID argument.
Because the endpoint is reachable over the network and requires no authentication, an attacker can issue exploitation requests directly against any exposed KSOA 9.0 instance. The vulnerability has been publicly disclosed, increasing the likelihood of opportunistic scanning.
Successful exploitation may allow data extraction, unauthorized modification of worksheet records, or further pivoting against the database account used by KSOA. The impact scope depends on the database privileges granted to the application service account.
Root Cause
The root cause is improper neutralization of user-supplied input before incorporation into a SQL query, classified under [CWE-89]. The del_work.jsp handler concatenates the ID GET parameter directly into a SQL statement rather than using prepared statements or bound parameters. This pattern is consistent with legacy JSP applications that build dynamic queries through string concatenation.
Attack Vector
The attack vector is network-based. An attacker sends a crafted HTTP GET request to /worksheet/del_work.jsp with a malicious payload in the ID parameter. The injected SQL fragment is parsed and executed by the underlying database engine. No credentials, tokens, or user interaction are required to trigger the flaw.
For technical details, refer to the GitHub Issue Discussion and the VulDB CTI Entry #341712.
Detection Methods for CVE-2026-1120
Indicators of Compromise
- HTTP GET requests to /worksheet/del_work.jsp containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #, /*) in the ID parameter.
- Repeated requests to del_work.jsp from a single source within a short timeframe, indicative of automated injection tooling.
- Database error messages or anomalous response lengths returned from del_work.jsp requests.
Detection Strategies
- Inspect web server access logs for del_work.jsp requests where the ID parameter contains non-numeric characters or encoded SQL syntax.
- Deploy a web application firewall (WAF) rule that flags SQL injection signatures against the /worksheet/ path.
- Correlate database query logs with web requests to identify queries containing unexpected UNION or time-delay functions originating from KSOA sessions.
Monitoring Recommendations
- Enable verbose request logging on the KSOA application server, capturing full query strings for the worksheet endpoints.
- Forward web and database logs to a centralized SIEM for correlation and retention.
- Alert on outbound database connections initiating unusual queries against tables not normally accessed by the worksheet module.
How to Mitigate CVE-2026-1120
Immediate Actions Required
- Restrict network access to KSOA 9.0 management and worksheet endpoints using firewall rules or VPN-only access until a vendor patch is available.
- Deploy WAF rules blocking SQL metacharacters and known injection payloads on requests to /worksheet/del_work.jsp.
- Audit the application database account and reduce its privileges to the minimum required for KSOA operation.
- Review recent web and database logs for evidence of exploitation against the ID parameter.
Patch Information
No vendor patch is currently available. The vendor, Yonyou, was contacted prior to disclosure but did not respond. Operators of KSOA 9.0 should monitor Yonyou support channels for an official fix and apply compensating controls in the interim.
Workarounds
- Block external access to /worksheet/del_work.jsp at the reverse proxy or WAF layer if the endpoint is not required.
- Implement strict input validation at a proxy tier that rejects non-integer values in the ID parameter before requests reach the JSP handler.
- Place KSOA behind authenticated access controls such as a VPN or zero-trust gateway to remove unauthenticated network exposure.
# Example WAF rule (ModSecurity) to block SQLi attempts against del_work.jsp
SecRule REQUEST_URI "@contains /worksheet/del_work.jsp" \
"id:1002026,phase:2,deny,status:403,\
chain,msg:'Potential SQLi targeting CVE-2026-1120'"
SecRule ARGS:ID "@rx (?i)(union|select|sleep\(|--|/\*|';)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
