CVE-2026-1218 is an XML External Entity (XXE) vulnerability identified in Bjskzy Zhiyou ERP up to version 11.0, specifically in the initRCForm function of the RichClientService.class file within the com.artery.richclient.RichClientService component. XXE vulnerabilities arise when XML parsers process external entity references embedded in XML input, potentially allowing attackers to read arbitrary files, perform server-side request forgery (SSRF), or cause denial of service. In this case, the vulnerability can be exploited remotely without user interaction, requiring only low-level privileges, which lowers the barrier for attackers. The vulnerability impacts confidentiality, integrity, and availability, though the CVSS vector indicates limited impact on each (VC:L, VI:L, VA:L). The vendor was notified early but has not responded or issued a patch, while exploit code has been made publicly available, increasing the risk of exploitation by opportunistic attackers. The vulnerability does not require authentication or user interaction, making it more accessible. The affected product, Bjskzy Zhiyou ERP, is an enterprise resource planning system used in various industries, which may include manufacturing, logistics, and supply chain management. The lack of vendor response and patch availability necessitates immediate mitigation efforts by organizations using this ERP. The CVSS 4.0 score of 5.3 reflects a medium severity, balancing the ease of exploitation with the limited scope of impact. This vulnerability highlights the importance of secure XML parsing configurations and input validation in ERP systems.

For European organizations, exploitation of CVE-2026-1218 could lead to unauthorized disclosure of sensitive business data, disruption of ERP services, and potential lateral movement within corporate networks. Given that ERP systems often manage critical business processes such as inventory, finance, and procurement, compromise could result in operational downtime, financial loss, and reputational damage. The ability to remotely exploit this vulnerability without user interaction increases the risk of automated attacks and worm-like propagation within vulnerable networks. Industries with high reliance on ERP systems, including manufacturing, automotive, and logistics sectors prevalent in Europe, could face significant operational impacts. Additionally, organizations subject to strict data protection regulations like GDPR may face compliance risks if sensitive data is exposed. The absence of a vendor patch and public exploit availability further elevate the threat level. However, the limited impact ratings on confidentiality, integrity, and availability suggest that while serious, the vulnerability is unlikely to cause catastrophic damage on its own but could serve as an entry point for more complex attacks.

1. Disable XML external entity processing in all XML parsers used by the Bjskzy Zhiyou ERP system, if configurable. 2. Implement strict input validation and sanitization on all XML inputs, especially those processed by the initRCForm function. 3. Employ network-level controls such as web application firewalls (WAFs) configured to detect and block XXE attack patterns. 4. Restrict ERP server outbound network access to prevent SSRF and data exfiltration attempts. 5. Monitor logs for unusual XML parsing errors or unexpected external entity references. 6. Isolate ERP systems within segmented network zones to limit lateral movement if compromised. 7. Engage with Bjskzy vendor support channels persistently to request official patches or mitigations. 8. Consider deploying runtime application self-protection (RASP) solutions that can detect and block XXE exploitation attempts. 9. Conduct regular security assessments and penetration tests focusing on XML processing components. 10. Prepare incident response plans specific to ERP system compromises to enable rapid containment and recovery.