CVE-2026-11456: Chanjet CRM 1.0 SQL Injection Vulnerability

CVE-2026-11456 Overview

CVE-2026-11456 is a SQL injection vulnerability in Chanjet CRM 1.0. The flaw resides in the /tools/jxf_dump_systable.php script, which processes HTTP GET requests without properly sanitizing the gblOrgID parameter. Attackers can manipulate this argument to inject arbitrary SQL statements into backend database queries. The vulnerability is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Exploitation is possible remotely without authentication or user interaction. A public proof-of-concept is available, and the vendor did not respond to disclosure attempts, leaving deployments without an official patch.

Critical Impact
Remote, unauthenticated attackers can inject SQL queries against Chanjet CRM databases through the gblOrgID parameter, potentially exposing or altering CRM records.

Affected Products

Chanjet CRM 1.0
Component: HTTP GET Request Handler in /tools/jxf_dump_systable.php
Parameter: gblOrgID

Discovery Timeline

2026-06-07 - CVE-2026-11456 published to NVD
2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11456

Vulnerability Analysis

The vulnerability exists in the jxf_dump_systable.php script shipped with Chanjet CRM 1.0. The script accepts a gblOrgID parameter through an HTTP GET request and embeds the value directly into a SQL query without input validation or parameterization. An attacker submitting crafted SQL syntax in gblOrgID can break out of the intended query context. This allows execution of attacker-controlled SQL statements within the CRM database. The Chanjet CRM application stores customer relationship data, so successful injection can expose sensitive business records. The vendor was contacted prior to disclosure but did not respond, and no official fix is published.

Root Cause

The root cause is missing input neutralization on the gblOrgID argument before it reaches the database driver. The PHP handler concatenates user-supplied data into a SQL statement rather than using prepared statements or bound parameters. Any special characters, comment sequences, or stacked query syntax pass through unchanged, satisfying the conditions for classic SQL injection described in [CWE-74].

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP GET request to the vulnerable endpoint with a malicious gblOrgID value, for example by appending UNION SELECT clauses, boolean-based conditions, or time-based payloads. A proof-of-concept is published on a GitHub Gist PoC and indexed in the VulDB CVE-2026-11456 entry. Because the exploit is publicly available, opportunistic scanning and automated exploitation are likely.

No verified code examples are available. Refer to the linked PoC and advisory for technical reproduction details.

Detection Methods for CVE-2026-11456

Indicators of Compromise

HTTP GET requests to /tools/jxf_dump_systable.php containing SQL metacharacters in the gblOrgID parameter such as single quotes, UNION, SELECT, SLEEP(, or comment markers.
Unexpected database errors or extended response times correlated with requests to jxf_dump_systable.php.
Outbound traffic from the CRM host to attacker-controlled infrastructure following anomalous query patterns.

Detection Strategies

Deploy web application firewall rules that inspect the gblOrgID query string for SQL injection signatures and block matches.
Enable database audit logging to capture queries originating from the CRM service account and alert on unions, information_schema reads, or stacked statements.
Hunt across web server access logs for repeated requests to /tools/jxf_dump_systable.php from a single source within short time windows.

Monitoring Recommendations

Forward web, application, and database logs to a centralized analytics platform and baseline normal query shapes against the CRM workload.
Alert on HTTP 500 responses or database driver exceptions tied to the affected endpoint, which often accompany injection probing.
Correlate authentication, file access, and outbound DNS telemetry from the CRM host to identify post-exploitation activity.

How to Mitigate CVE-2026-11456

Immediate Actions Required

Restrict network access to /tools/jxf_dump_systable.php so that only trusted administrative IP ranges can reach the endpoint.
Deploy WAF signatures that block SQL injection payloads targeting the gblOrgID parameter until a vendor patch is available.
Rotate database credentials used by the CRM application and review database logs for unauthorized queries.

Patch Information

The vendor was contacted but did not respond, and no official patch has been released for Chanjet CRM 1.0 at the time of disclosure. Monitor the VulDB Vulnerability #369075 entry and the vendor's support channels for updates. In the absence of a fix, treat the affected installation as exposed and apply compensating controls.

Workarounds

Place the CRM application behind a reverse proxy that strips or validates the gblOrgID parameter against an allowlist of numeric values.
Remove or rename the jxf_dump_systable.php file if the diagnostic functionality it provides is not required in production.
Configure the CRM database account with least-privilege permissions, denying access to system tables and write operations outside required schemas.

bash

# Example WAF rule (ModSecurity) blocking SQL metacharacters in gblOrgID
SecRule ARGS:gblOrgID "@rx (?i)(union|select|sleep\(|--|';|/\*)" \
  "id:1026114560,phase:2,deny,status:403,msg:'CVE-2026-11456 SQLi attempt on gblOrgID'"