CVE-2026-1121 identifies a SQL injection vulnerability in Yonyou KSOA version 9.0, located in the /worksheet/del_workplan.jsp file's HTTP GET parameter handler for the 'ID' argument. The vulnerability arises from improper sanitization of user-supplied input, allowing attackers to inject malicious SQL queries remotely without authentication or user interaction. This can lead to unauthorized data access, modification, or deletion within the backend database. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low attack complexity, and no required privileges or user interaction. The vendor has not issued a patch or response, and a public exploit is available, increasing the urgency for affected organizations to implement mitigations. The lack of authentication requirement and remote exploitability make this a significant risk, especially for enterprises relying on Yonyou KSOA for critical business operations. The vulnerability affects only version 9.0, and no other versions are currently reported as vulnerable. Given the public exploit availability, attackers could leverage this flaw to compromise enterprise data confidentiality, integrity, and availability, potentially leading to data breaches or operational disruption.

For European organizations, exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive business data, including financial records, employee information, and operational plans managed within Yonyou KSOA. Data integrity could be compromised through unauthorized modifications or deletions, impacting business continuity and trustworthiness of information. Availability risks include potential database corruption or denial of service caused by malicious queries. Given Yonyou's presence in sectors such as manufacturing, finance, and government services in Europe, successful exploitation could disrupt critical business functions and regulatory compliance, especially under GDPR requirements for data protection. The public availability of an exploit increases the likelihood of targeted attacks, including by cybercriminals or state-sponsored actors. The absence of vendor patches exacerbates the risk, forcing organizations to rely on defensive measures. This vulnerability could also be leveraged as a foothold for further network compromise or lateral movement within affected enterprises.

Since no official patch is available, European organizations should implement immediate compensating controls. First, deploy web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter in /worksheet/del_workplan.jsp. Second, apply strict input validation and sanitization at the application or proxy level to reject malicious payloads. Third, conduct thorough code reviews and consider temporary code modifications to parameter handling if feasible. Fourth, restrict network access to the affected application to trusted IP ranges and segment the network to limit lateral movement in case of compromise. Fifth, enhance monitoring and logging to detect suspicious database queries or unusual application behavior. Sixth, prepare incident response plans specific to SQL injection exploitation scenarios. Finally, maintain close monitoring of vendor communications for any forthcoming patches or advisories and plan for timely application once available.