CVE-2026-2963 identifies a SQL injection vulnerability in Jinher OA C6, a widely used office automation software, specifically in versions up to 20260210. The vulnerability arises from improper sanitization or validation of the id and offsnum parameters in the OfficeSupplyTypeRight.aspx page, which is part of the /C6/Jhsoft.Web.officesupply module. An attacker can remotely send crafted HTTP requests to inject arbitrary SQL commands into the backend database queries. This injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the affected system's data. The attack vector requires no authentication or user interaction, making it easier to exploit. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Despite the vendor being notified, no patch or official response has been provided, and the exploit details have been publicly disclosed, increasing the risk of exploitation by threat actors. The vulnerability affects organizations relying on Jinher OA C6 for office automation, especially those with internet-facing deployments of the vulnerable endpoint.

The SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the backend database, leading to unauthorized access to sensitive information such as user credentials, internal documents, or business data. Attackers may also modify or delete critical data, disrupting business operations and causing data integrity issues. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations with exposed Jinher OA C6 installations. The compromise could lead to data breaches, regulatory non-compliance, reputational damage, and potential financial losses. Additionally, attackers could leverage this access to pivot within the network, escalating privileges or deploying further malware. The lack of vendor response and patch availability increases the window of exposure, making timely mitigation essential.

Organizations should immediately audit their Jinher OA C6 deployments to identify affected versions, especially those exposing the /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx endpoint. Until an official patch is released, implement strict network-level access controls such as IP whitelisting or VPN-only access to restrict exposure of the vulnerable endpoint. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the id and offsnum parameters. Conduct thorough input validation and sanitization on all user-supplied data where possible. Monitor logs for suspicious queries or repeated access attempts to the vulnerable page. Consider isolating the affected system from critical networks to limit potential lateral movement. Engage with Jinher support channels for updates and apply patches immediately upon release. Additionally, conduct security awareness training for administrators to recognize and respond to exploitation attempts.