CVE-2026-1129 is a SQL injection vulnerability identified in Yonyou KSOA version 9.0, a business software platform widely used in enterprise environments. The vulnerability resides in the /worksheet/worksadd.jsp component, specifically in the handling of the HTTP GET parameter 'ID'. Improper sanitization or validation of this parameter allows an attacker to inject malicious SQL code, which can be executed by the backend database. This can lead to unauthorized data retrieval, modification, or deletion, compromising the confidentiality, integrity, and availability of the affected system's data. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Despite the vendor being notified early, no patch or official response has been issued, and public exploit code is available, which could facilitate exploitation by threat actors. The lack of mitigation from the vendor and the public availability of exploits make this vulnerability a significant concern for organizations using Yonyou KSOA 9.0.

The exploitation of this SQL injection vulnerability can have severe consequences for organizations using Yonyou KSOA 9.0. Attackers can remotely execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive business data, data corruption, or deletion. This compromises data confidentiality and integrity, and may also impact system availability if critical data or database structures are altered or destroyed. Given that no authentication is required, any attacker with network access to the affected system can attempt exploitation, increasing the attack surface. The presence of public exploit code further raises the likelihood of attacks, including automated scanning and exploitation by opportunistic threat actors. Organizations may face data breaches, regulatory penalties, operational disruptions, and reputational damage. The lack of vendor response and patches exacerbates the risk, as affected entities must rely on interim mitigations. The impact is particularly critical for enterprises relying heavily on Yonyou KSOA for business operations and data management.

To mitigate this vulnerability in the absence of an official patch, organizations should implement multiple layers of defense. First, apply strict input validation and sanitization on the 'ID' parameter at the web application level to block malicious SQL payloads. Employ parameterized queries or prepared statements if source code access and modification are possible. Deploy a Web Application Firewall (WAF) configured to detect and block SQL injection attempts targeting the vulnerable endpoint. Monitor network traffic and application logs for unusual or suspicious activity related to the /worksheet/worksadd.jsp path and the 'ID' parameter. Restrict network access to the affected application to trusted IP ranges where feasible, reducing exposure. Conduct regular security assessments and penetration testing to identify and remediate injection flaws. Maintain comprehensive backups of critical data to enable recovery in case of data corruption or loss. Engage with Yonyou support channels for updates and patches, and plan for timely application once available. Finally, educate development and security teams about secure coding practices to prevent similar vulnerabilities in future releases.