CVE-2026-9551: Das Parking Management System SQLi Flaw

CVE-2026-9551 Overview

CVE-2026-9551 is a SQL injection vulnerability affecting Das Parking Management System (停车场管理系统) version 6.2.0. The flaw resides in the xp_cmdshell function within the ParkingRecord/ExportParkingRecords API endpoint. Attackers can manipulate the Value argument to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires no authentication or user interaction. According to the disclosure, a public exploit exists and the vendor did not respond to coordinated disclosure attempts. The vulnerability is classified under [CWE-74] for improper neutralization of special elements in output used by a downstream component.

Critical Impact

Unauthenticated remote attackers can inject SQL commands through the ExportParkingRecords endpoint, potentially exposing parking record data and, given the involvement of xp_cmdshell, enabling operating system command execution on the backend database server.

Affected Products

• Das Parking Management System (停车场管理系统) 6.2.0
• Component: ParkingRecord/ExportParkingRecords API Endpoint
• Vulnerable function: xp_cmdshell

Discovery Timeline

• 2026-05-26 - CVE-2026-9551 published to NVD
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9551

Vulnerability Analysis

The vulnerability is a SQL injection flaw in the ParkingRecord/ExportParkingRecords API endpoint of Das Parking Management System 6.2.0. The endpoint accepts a Value parameter that is incorporated into a backend SQL query without proper sanitization or parameterization. Attackers send crafted HTTP requests over the network and require no credentials or user interaction to trigger the flaw.

The reference to xp_cmdshell indicates the backend uses Microsoft SQL Server, where xp_cmdshell is an extended stored procedure that executes operating system commands. When SQL injection reaches a context that can invoke xp_cmdshell, attackers can escalate from data exfiltration to operating system command execution under the database service account.

Root Cause

The root cause is improper neutralization of user-controlled input [CWE-74]. The Value parameter passed to ParkingRecord/ExportParkingRecords is concatenated into a SQL statement instead of being bound through a parameterized query or prepared statement. This permits attacker-supplied SQL fragments to alter query structure.

Attack Vector

An attacker reaches the exposed API endpoint over the network and submits a malicious Value parameter. The injected payload modifies query logic to read, modify, or delete records in the parking management database. If the database account is privileged and xp_cmdshell is enabled, the injected query can invoke arbitrary system commands on the SQL Server host. Details of the vulnerable request flow are documented in the Feishu Wiki writeup and the VulDB entry.

No verified exploit code is reproduced here. See the referenced advisories for technical proof-of-concept details.

Detection Methods for CVE-2026-9551

Indicators of Compromise

• HTTP requests to /ParkingRecord/ExportParkingRecords containing SQL meta-characters in the Value parameter, such as single quotes, UNION, SELECT, or comment sequences (--, /*).
• Database logs showing invocations of xp_cmdshell originating from the parking management application's database user.
• Outbound network connections initiated by the SQL Server process (sqlservr.exe) to unexpected destinations following requests to the affected endpoint.

Detection Strategies

• Inspect web server and application logs for anomalous Value parameters submitted to ParkingRecord/ExportParkingRecords, particularly those containing SQL keywords or encoded special characters.
• Enable SQL Server auditing for execution of extended stored procedures, especially xp_cmdshell, and alert on any successful invocation.
• Deploy a web application firewall (WAF) signature for SQL injection patterns targeting the affected endpoint and review denied requests for active probing.

Monitoring Recommendations

• Forward IIS or reverse proxy logs and SQL Server audit logs to a central analytics platform to correlate suspicious requests with database activity.
• Monitor for new child processes spawned by sqlservr.exe, including cmd.exe, powershell.exe, or scripting hosts, which indicate xp_cmdshell abuse.
• Track outbound connections and DNS queries from the database host to identify command-and-control or data exfiltration attempts.

How to Mitigate CVE-2026-9551

Immediate Actions Required

• Restrict network access to the Das Parking Management System administrative and API endpoints to trusted management networks only.
• Disable xp_cmdshell on the backing SQL Server instance unless it is explicitly required for business operations.
• Run the application's database account with the least privileges necessary, removing sysadmin membership and any rights to execute extended stored procedures.
• Deploy WAF rules to block SQL injection patterns targeting /ParkingRecord/ExportParkingRecords.

Patch Information

No vendor patch is currently available. The disclosure notes that the vendor was contacted but did not respond. Monitor the VulDB entry for CVE-2026-9551 for updates on remediation status.

Workarounds

• Place the application behind an authenticating reverse proxy or VPN to eliminate unauthenticated network exposure.
• Apply WAF or reverse proxy filtering that rejects requests where the Value parameter contains SQL meta-characters or keywords.
• Disable xp_cmdshell using the SQL Server configuration option sp_configure 'xp_cmdshell', 0 and reconfigure with RECONFIGURE.
• If feasible, take the affected version offline until a patched release or compensating controls are confirmed.

# Disable xp_cmdshell on SQL Server to limit blast radius
sqlcmd -S <server> -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;"