CVE-2026-11412: Jinher OA C6 SQL Injection Vulnerability

CVE-2026-11412 Overview

CVE-2026-11412 is a SQL injection vulnerability in Jinher OA C6, an office automation platform. The flaw resides in an unknown function within the /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx endpoint. Attackers can manipulate the queryID parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is remotely exploitable and requires low-level privileges to execute. Public exploit code has been disclosed, increasing the likelihood of opportunistic attacks. The vendor was contacted prior to public disclosure but did not respond, and no official patch has been released. The weakness is classified under [CWE-74] for improper neutralization of special elements in output.

Critical Impact
Remote authenticated attackers can inject SQL through the queryID parameter to read or modify backend database contents.

Affected Products

Jinher OA C6 (specific versions not enumerated by the vendor)
Deployments exposing /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx
Internet-facing Jinher OA installations

Discovery Timeline

2026-06-06 - CVE-2026-11412 published to NVD
2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11412

Vulnerability Analysis

The vulnerability exists in the request handling logic of GetFormSn.aspx, part of the JHSoft.Web.ModuleCount module in Jinher OA C6. The application accepts the queryID request parameter and incorporates it into a SQL statement without proper sanitization or parameterization. An authenticated remote attacker can send a crafted HTTP request that breaks out of the intended SQL context. Successful exploitation allows reading, modifying, or extracting database records depending on the privileges of the underlying database account. Public availability of exploit details lowers the barrier for unsophisticated actors.

Root Cause

The root cause is improper neutralization of special elements within a downstream component [CWE-74]. The queryID value is concatenated directly into a SQL query string rather than passed through parameterized statements or stored procedures with strong typing. Input validation routines do not filter SQL metacharacters such as single quotes, semicolons, or comment sequences. This pattern is consistent with legacy ASP.NET applications that build dynamic queries using string concatenation.

Attack Vector

The attack is network-based and requires the attacker to issue HTTP requests to the vulnerable endpoint. The CVSS vector indicates low privileges are required, suggesting the attacker must hold an authenticated session within the OA system. No user interaction is necessary. An attacker submits a request to /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx with a malicious queryID parameter containing SQL syntax such as union-based or boolean-based injection payloads. Public proof-of-concept material has been posted; refer to the GitHub Issue Discussion and the VulDB Vulnerability Details for technical specifics.

Detection Methods for CVE-2026-11412

Indicators of Compromise

HTTP requests to /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx containing SQL metacharacters in the queryID parameter (', --, ;, UNION, SELECT).
Unexpected database errors or 500 responses originating from the JHSoft.Web.ModuleCount module.
Anomalous outbound queries from the OA application's database service account.

Detection Strategies

Inspect web server and IIS access logs for requests targeting GetFormSn.aspx with encoded SQL payloads in query strings.
Deploy WAF signatures that flag SQL injection patterns against the queryID parameter.
Correlate authentication events with subsequent abnormal database query volume from the OA host.

Monitoring Recommendations

Enable SQL Server auditing on the Jinher OA database to capture dynamic query execution.
Alert on first-seen queryID values containing reserved SQL keywords.
Monitor low-privileged OA accounts for unusual access to the vulnerable endpoint.

How to Mitigate CVE-2026-11412

Immediate Actions Required

Restrict network access to /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx through firewall or reverse proxy rules until a vendor patch is available.
Audit Jinher OA C6 user accounts and disable inactive or low-trust users that could be abused for authenticated exploitation.
Review database account permissions for the OA service and apply least-privilege constraints.

Patch Information

The vendor, Jinher, did not respond to disclosure attempts and has not released an official patch at the time of CVE publication. Organizations should monitor the VulDB CVE Record and the vendor's support channels for future advisories. Until a fix is published, compensating controls are required to reduce exposure.

Workarounds

Deploy a web application firewall rule blocking SQL metacharacters in the queryID parameter of requests to GetFormSn.aspx.
Remove or restrict the JHSoft.Web.ModuleCount module if it is not required for business operations.
Place the OA application behind a VPN or zero-trust gateway to eliminate unauthenticated internet exposure.
Rotate database credentials and revoke unnecessary privileges from the OA service account.

bash

# Example IIS URL Rewrite rule to block suspicious queryID values
<rule name="Block-SQLi-queryID" stopProcessing="true">
  <match url="C6/JHSoft\.Web\.ModuleCount/GetFormSn\.aspx" />
  <conditions>
    <add input="{QUERY_STRING}" pattern="(?i)queryID=[^&]*(union|select|--|;|')" />
  </conditions>
  <action type="AbortRequest" />
</rule>