CVE-2026-37428 Overview
CVE-2026-37428 is a SQL injection vulnerability in qihang-wms commit 75c15a, an open-source warehouse management system. The flaw resides in the SysDeptMapper.xml MyBatis mapper file, where the datascope parameter is concatenated into a SQL query without proper sanitization. Remote unauthenticated attackers can manipulate the parameter to execute arbitrary SQL statements against the backend database. Successful exploitation exposes sensitive records, including users' Personally Identifiable Information (PII). The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Attackers can extract PII and other sensitive database contents from qihang-wms deployments running the affected commit by injecting SQL through the datascope parameter.
Affected Products
- qihang-wms warehouse management system at commit 75c15a
- Deployments using the vulnerable SysDeptMapper.xml mapper
- Downstream forks that inherit the unsanitized datascope handling
Discovery Timeline
- 2026-05-13 - CVE-2026-37428 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-37428
Vulnerability Analysis
The vulnerability exists in the SysDeptMapper.xml file, which defines MyBatis SQL mappings for the system department module of qihang-wms. The datascope parameter, used to scope department queries, is injected directly into the SQL statement using string concatenation rather than parameterized binding. An attacker who controls the value of datascope can append arbitrary SQL clauses to the original query.
Because the affected endpoint is reachable over the network and does not require privileges or user interaction, attackers can probe the parameter with standard SQL injection payloads. The impact is limited to confidentiality and integrity of data returned by the query, with no direct effect on availability. Exposed data includes user records containing PII managed by the department module.
Root Cause
The root cause is unsafe SQL construction inside the MyBatis mapper. Parameters intended to influence query structure are interpolated using ${...} substitution instead of the #{...} placeholder syntax that performs prepared-statement binding. The ${datascope} token therefore allows any user-supplied string to become part of the SQL text sent to the database, defeating type checks and escape routines.
Attack Vector
Exploitation occurs remotely over HTTP. An attacker submits a crafted request to an endpoint that invokes the vulnerable department query and supplies a malicious datascope value containing SQL syntax such as UNION SELECT statements or boolean-based blind injection payloads. The backend executes the appended SQL, returning attacker-selected rows in the response or via inferred timing. Refer to the GitHub CVE SQL Injection Documentation and the GitHub Gist Vulnerability Report for proof-of-concept details.
Detection Methods for CVE-2026-37428
Indicators of Compromise
- HTTP requests containing SQL metacharacters such as ', --, UNION, or SLEEP( within the datascope query parameter or form field.
- Database error messages referencing SysDeptMapper or department-scope queries in application logs.
- Anomalous SELECT statements against user or department tables originating from the qihang-wms service account.
Detection Strategies
- Inspect web server and application logs for parameter values that deviate from the expected enumerated datascope codes (typically short numeric identifiers).
- Deploy a Web Application Firewall (WAF) rule that blocks SQL injection patterns targeting the datascope field.
- Enable database query auditing to flag unexpected UNION operators or queries that read from authentication-related tables.
Monitoring Recommendations
- Alert on bursts of failed or unusually long SQL queries from the qihang-wms application user.
- Monitor outbound data volume from the database tier for spikes that may indicate bulk extraction.
- Correlate authentication anomalies with SQL injection signatures to identify follow-on credential abuse.
How to Mitigate CVE-2026-37428
Immediate Actions Required
- Restrict network exposure of the qihang-wms application to trusted users and internal networks until a fix is applied.
- Apply WAF rules that reject SQL syntax in the datascope parameter.
- Audit recent application and database logs for evidence of exploitation against department queries.
Patch Information
No official vendor patch is referenced in the NVD record at the time of publication. Operators running commit 75c15a should track the upstream qihang-wms repository for fixes and review the references in the GitHub CVE SQL Injection Documentation. As an interim fix, modify SysDeptMapper.xml to replace ${datascope} interpolation with #{datascope} parameterized binding, or validate the value against an allow-list of expected scope identifiers before query execution.
Workarounds
- Replace ${datascope} with #{datascope} in SysDeptMapper.xml to enforce prepared-statement binding.
- Implement server-side input validation that rejects any datascope value not matching the expected numeric format.
- Apply the principle of least privilege to the database account used by qihang-wms, removing access to tables outside the application schema.
# Example allow-list validation in a reverse proxy or filter
# Reject requests where datascope is not a simple numeric token
if ! [[ "$datascope" =~ ^[0-9]{1,3}$ ]]; then
echo "Invalid datascope value" >&2
exit 1
fi
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
