CVE-2026-1546 identifies a SQL injection vulnerability in the jishenghua jshERP software, specifically affecting versions 3.0 through 3.6. The vulnerability is located in the getBillItemByParam function of the /jshERP-boot/depotItem/importItemExcel file, within the DepotItemMapperEx component. The root cause is insufficient input validation and sanitization of the 'barCodes' parameter, which is directly used in SQL queries. This flaw enables remote attackers to craft malicious input that alters the intended SQL command logic, potentially allowing unauthorized retrieval, modification, or deletion of database records. The attack vector requires no authentication or user interaction, increasing the risk of exploitation. The vulnerability was responsibly disclosed early to the vendor, but no patch or fix has been released as of the publication date. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. While no active exploits have been confirmed in the wild, the public disclosure increases the likelihood of exploitation attempts. Organizations using jshERP should consider this vulnerability critical to their database security posture, as ERP systems often contain sensitive business and operational data.

For European organizations, exploitation of CVE-2026-1546 could result in unauthorized access to sensitive business data, including inventory, billing, and supply chain information managed by jshERP. This could lead to data breaches, manipulation of financial records, disruption of business operations, and potential compliance violations under GDPR due to unauthorized data exposure. The ability to remotely exploit this vulnerability without authentication increases the risk of widespread attacks, especially in sectors heavily reliant on ERP systems such as manufacturing, wholesale, and retail. The integrity of business-critical data could be compromised, affecting decision-making and operational continuity. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within corporate environments. The absence of a vendor patch heightens the urgency for organizations to implement compensating controls to mitigate risk.

Given the lack of an official patch, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'barCodes' parameter in jshERP endpoints. Network segmentation should be enforced to limit access to ERP systems from untrusted networks. Input validation and sanitization should be applied at the application layer where possible, potentially through custom middleware or reverse proxies. Organizations should monitor logs for unusual database query patterns or failed injection attempts. Restrict database user privileges associated with jshERP to the minimum necessary, preventing unauthorized data modification. Regular backups of ERP data should be maintained to enable recovery in case of data corruption. Finally, organizations should engage with the vendor for updates and consider alternative ERP solutions if remediation is delayed.