CVE-2026-1130 is a SQL injection vulnerability identified in Yonyou KSOA version 9.0, affecting the HTTP GET parameter handler in the /worksheet/worksadd_plan.jsp component. The vulnerability arises from improper sanitization of the 'ID' parameter, allowing attackers to inject malicious SQL queries remotely without requiring authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting medium severity, with an attack vector of network (remote), low attack complexity, and no privileges or user interaction needed. The vendor has not issued a patch or responded to disclosure attempts, but exploit code has been published publicly, increasing the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability, as attackers can access sensitive data or disrupt services. The lack of authentication and user interaction requirements makes this vulnerability particularly dangerous in exposed environments. Yonyou KSOA is an enterprise application platform widely used in Asia and increasingly adopted by multinational companies, including some European organizations, especially in sectors such as manufacturing, finance, and government services.

For European organizations, exploitation of CVE-2026-1130 could lead to significant data breaches, exposing sensitive corporate or customer information. The integrity of business-critical data could be compromised, resulting in erroneous data processing or financial loss. Availability of services relying on Yonyou KSOA could be disrupted by malicious SQL commands, causing operational downtime. Organizations in regulated industries such as finance, healthcare, and government may face compliance violations and reputational damage. The public availability of exploit code increases the likelihood of automated attacks targeting vulnerable systems. Since the vulnerability requires no authentication, any externally accessible instance of Yonyou KSOA 9.0 is at risk. The absence of vendor patches exacerbates the threat, forcing organizations to rely on compensating controls. Attackers could leverage this vulnerability as a foothold for further network compromise or lateral movement within corporate environments.

1. Immediately conduct an inventory to identify all instances of Yonyou KSOA 9.0 within the network. 2. Restrict external access to the /worksheet/worksadd_plan.jsp endpoint using network-level controls such as firewalls or web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter. 3. Implement strict input validation and sanitization at the application layer if source code or configuration access is available. 4. Monitor logs and network traffic for unusual database queries or repeated access attempts to the vulnerable endpoint. 5. Employ database activity monitoring tools to detect and alert on suspicious SQL commands. 6. Isolate vulnerable systems from critical infrastructure until a vendor patch or official remediation is available. 7. Engage with Yonyou support channels persistently to obtain official patches or guidance. 8. Consider deploying virtual patching via WAFs as an interim protective measure. 9. Educate incident response teams on the specific indicators of compromise related to this vulnerability. 10. Plan for rapid incident response and forensic analysis in case of exploitation attempts.