CVE-2026-1546 identifies a SQL injection vulnerability in the jishenghua jshERP software, versions 3.0 through 3.6. The vulnerability resides in the getBillItemByParam function located in the /jshERP-boot/depotItem/importItemExcel file, within the com.jsh.erp.datasource.mappers.DepotItemMapperEx component. The issue arises from improper sanitization or validation of the barCodes parameter, which is directly used in SQL queries, enabling attackers to inject arbitrary SQL commands. This injection can be performed remotely without authentication or user interaction, increasing the attack surface. The vulnerability was responsibly disclosed to the vendor, but no patch or fix has been issued to date. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the ease of remote exploitation and the potential for partial confidentiality, integrity, and availability impacts. Exploitation could allow attackers to read, modify, or delete sensitive data within the ERP database, potentially disrupting business operations or exposing confidential information. The lack of authentication requirement and the public availability of exploit details heighten the risk. The vulnerability affects all listed versions from 3.0 to 3.6, indicating a long-standing issue in the product's codebase.

The SQL injection vulnerability in jshERP can have significant impacts on organizations using the affected versions. Attackers exploiting this flaw can gain unauthorized access to sensitive business data, including financial records, inventory details, and customer information. They may also alter or delete critical data, leading to operational disruptions, financial losses, and reputational damage. Since jshERP is an enterprise resource planning system, the integrity and availability of its data are crucial for daily business functions. Exploitation could facilitate further attacks, such as privilege escalation or lateral movement within the network. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially in environments where the ERP system is exposed to untrusted networks. Organizations lacking timely detection and response capabilities may face prolonged exposure and increased damage. Additionally, the absence of an official patch means that mitigation relies on workarounds or compensating controls, which may not fully eliminate risk.

To mitigate CVE-2026-1546, organizations should first assess their exposure by identifying all instances of jshERP versions 3.0 through 3.6 in their environment. Immediate steps include restricting network access to the ERP system, especially from untrusted or public networks, by implementing firewall rules or VPN requirements. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the barCodes parameter. Conduct thorough input validation and sanitization on all user-supplied data at the application level, if source code access and modification are possible. Monitor logs for unusual database query patterns or errors indicative of injection attempts. Engage in active threat hunting to detect potential exploitation. Coordinate with the vendor for updates or patches and apply them promptly once available. Consider isolating the ERP system within a segmented network zone to limit lateral movement in case of compromise. Finally, educate relevant personnel about the vulnerability and ensure incident response plans include scenarios involving ERP system breaches.