CVE-2026-1546 Overview
CVE-2026-1546 is a SQL injection vulnerability in jishenghua jshERP up to version 3.6. The flaw resides in the getBillItemByParam function within com.jsh.erp.datasource.mappers.DepotItemMapperEx, reached through the /jshERP-boot/depotItem/importItemExcel endpoint. Attackers manipulate the barCodes argument to inject arbitrary SQL into backend database queries. The issue is classified under CWE-89 SQL Injection and CWE-74 Improper Neutralization. Remote exploitation is possible with low-privileged authenticated access, and the exploit has been disclosed publicly. The vendor was notified through an issue report but has not responded.
Critical Impact
Authenticated remote attackers can inject SQL through the barCodes parameter, exposing limited confidentiality, integrity, and availability of jshERP database contents.
Affected Products
- jishenghua jshERP versions up to and including 3.6
- Component: com.jsh.erp.datasource.mappers.DepotItemMapperEx
- Endpoint: /jshERP-boot/depotItem/importItemExcel
Discovery Timeline
- 2026-01-28 - CVE-2026-1546 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-1546
Vulnerability Analysis
The vulnerability stems from unsanitized user input flowing into a SQL query inside the getBillItemByParam MyBatis mapper method. The barCodes argument, supplied via the /jshERP-boot/depotItem/importItemExcel request handler, is concatenated into the SQL statement rather than bound as a parameter. This permits an attacker to break out of the intended query context and append arbitrary SQL clauses.
jshERP is an open-source enterprise resource planning system used for inventory, sales, and procurement workflows. Successful injection can read or alter rows in depot item tables and adjacent business records. The disclosure exists publicly and may be referenced by opportunistic actors, but no in-the-wild exploitation has been confirmed.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The DepotItemMapperEx mapper accepts the barCodes value directly into a dynamic SQL fragment, bypassing the parameter-binding model that MyBatis offers through #{} placeholders. The use of string substitution (${}) or equivalent concatenation enables tainted input to influence query structure.
Attack Vector
The attack vector is network-accessible HTTP. An authenticated user with low privileges sends a crafted request to /jshERP-boot/depotItem/importItemExcel containing a malicious barCodes payload. No user interaction is required. The exploit chain proceeds as follows: authenticate to jshERP, submit the import endpoint request with SQL metacharacters injected into barCodes, and observe data exfiltration or modification through the backend response.
For technical specifics, see the GitHub Issue Detail and the VulDB entry #343230.
Detection Methods for CVE-2026-1546
Indicators of Compromise
- HTTP POST requests to /jshERP-boot/depotItem/importItemExcel containing SQL metacharacters such as single quotes, UNION, SELECT, --, or /* inside the barCodes parameter
- Unexpected database errors or stack traces in jshERP application logs originating from DepotItemMapperEx.getBillItemByParam
- Anomalous outbound data volume from the jshERP database server following requests to the import endpoint
Detection Strategies
- Deploy a web application firewall ruleset that inspects request bodies destined for /jshERP-boot/depotItem/ paths and blocks SQL injection signatures
- Enable database query logging and alert on queries containing tautologies (OR 1=1), UNION SELECT patterns, or comment terminators originating from the jshERP service account
- Correlate authentication events with subsequent abnormal database read volumes per user session
Monitoring Recommendations
- Log all requests to the importItemExcel endpoint with full parameter values for forensic review
- Monitor for repeated 500-series responses from the jshERP API, which may indicate injection probing
- Track database account activity for queries that deviate from the application's normal query fingerprint
How to Mitigate CVE-2026-1546
Immediate Actions Required
- Restrict network access to /jshERP-boot/depotItem/importItemExcel to trusted internal IP ranges until a vendor patch is available
- Audit jshERP user accounts and revoke unnecessary low-privileged accounts that can reach the import functionality
- Apply WAF virtual patching rules to filter SQL metacharacters in the barCodes parameter
Patch Information
No official patch is available at the time of publication. The maintainer was notified through the GitHub issue tracker but has not responded. Monitor the jshERP project repository for updates.
Workarounds
- Disable the depot item Excel import feature in production deployments where it is not required
- Place the jshERP application behind a reverse proxy that enforces strict input validation on numeric and barcode-formatted fields
- Enforce least-privilege database credentials for the jshERP service account to limit the impact of successful injection
# Example nginx configuration to block obvious SQLi patterns on the affected endpoint
location /jshERP-boot/depotItem/importItemExcel {
if ($args ~* "(union|select|insert|update|delete|drop|--|/\*)") {
return 403;
}
if ($request_body ~* "(union|select|--|/\*|';)") {
return 403;
}
proxy_pass http://jsherp_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

