CVE-2026-1059 identifies a SQL injection vulnerability in FeMiner wms, an application used for warehouse management. The vulnerability resides in the /src/chkuser.php file, where the Username parameter is improperly sanitized, allowing an attacker to inject malicious SQL queries. This injection flaw can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. The product uses a rolling release strategy, complicating exact version identification, but all versions up to the specified commit hash are affected. The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity, with network attack vector, low complexity, and no privileges or user interaction required. The impact includes potential unauthorized data access, modification, or deletion, which could compromise system integrity and availability. The vendor was notified but has not issued a patch or response, and no known exploits are currently active in the wild, though public exploit code exists. This vulnerability poses a significant risk to organizations relying on FeMiner wms for critical warehouse management operations, especially where sensitive or regulated data is stored.

The SQL injection vulnerability in FeMiner wms can lead to unauthorized access to sensitive data, including user credentials and operational information, potentially resulting in data breaches. Attackers could manipulate database queries to alter or delete data, disrupting warehouse management processes and causing operational downtime. The integrity of business-critical data could be compromised, leading to incorrect inventory records or shipment errors. Availability may also be affected if attackers execute denial-of-service conditions through crafted SQL payloads. Given the remote, unauthenticated nature of the exploit, the threat surface is broad, increasing the likelihood of exploitation. Organizations in logistics, manufacturing, and retail sectors using FeMiner wms could face financial losses, reputational damage, and regulatory penalties if exploited. The lack of vendor response and patches exacerbates the risk, leaving systems exposed until mitigations are applied.

Organizations should immediately audit their use of FeMiner wms and identify instances running affected versions. As no official patches are available, implement web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the Username parameter in /src/chkuser.php. Employ input validation and parameterized queries at the application level if source code access is possible to sanitize user inputs. Monitor logs for suspicious database query patterns and failed login attempts indicative of injection attempts. Restrict network access to the wms application to trusted IP ranges and enforce strict access controls. Conduct regular security assessments and penetration tests focusing on injection flaws. Prepare incident response plans for potential data breaches or service disruptions. Engage with the vendor for updates and consider alternative solutions if remediation is delayed. Finally, keep backups of critical data to enable recovery in case of data corruption or loss.