CVE-2026-2963 identifies a SQL injection vulnerability in Jinher OA C6, a widely used office automation platform, specifically affecting versions up to 20260210. The vulnerability exists in the processing of the 'id' or 'offsnum' parameters within the /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx endpoint. Improper input validation allows attackers to inject malicious SQL queries remotely without requiring authentication or user interaction. This can lead to unauthorized data access, modification, or deletion within the backend database, potentially compromising sensitive organizational information. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no active exploits have been reported yet. The vendor was notified but has not provided a patch or response, leaving users exposed. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the vulnerability's remote exploitability and moderate impact on confidentiality, integrity, and availability. The absence of authentication requirements and user interaction lowers the attack complexity, making it a credible threat. Organizations relying on Jinher OA C6 should monitor for updates and apply mitigations promptly to reduce risk.

The SQL injection vulnerability in Jinher OA C6 can have significant impacts on affected organizations. Attackers exploiting this flaw can remotely execute arbitrary SQL commands, potentially leading to unauthorized disclosure of sensitive data, data corruption, or deletion. This compromises the confidentiality, integrity, and availability of critical business information managed by the OA system. Given that office automation platforms often handle internal communications, document management, and workflow processes, exploitation could disrupt business operations and lead to regulatory compliance violations if sensitive data is exposed. The lack of authentication requirements and user interaction increases the likelihood of successful exploitation, especially in environments with internet-facing OA systems. The vendor's lack of response and absence of an official patch prolong exposure, increasing the window of opportunity for attackers. Organizations worldwide using Jinher OA C6 face risks of data breaches, operational disruption, and reputational damage.

To mitigate CVE-2026-2963, organizations should implement the following specific measures: 1) Immediately restrict external access to the affected endpoint (/C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx) via network-level controls such as firewalls or web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting 'id' and 'offsnum' parameters. 2) Conduct thorough input validation and sanitization on all user-supplied parameters, especially 'id' and 'offsnum', using parameterized queries or prepared statements to prevent injection. 3) Monitor application logs and network traffic for unusual or suspicious SQL queries or error messages indicative of injection attempts. 4) If possible, deploy virtual patching via WAFs or reverse proxies until an official vendor patch is released. 5) Isolate the OA system from critical internal networks to limit lateral movement in case of compromise. 6) Regularly back up databases and verify backup integrity to enable recovery from potential data corruption or deletion. 7) Engage with Jinher or trusted third-party security vendors for custom patches or mitigations if the vendor remains unresponsive. 8) Educate system administrators and security teams about this vulnerability and ensure incident response plans are updated to address potential exploitation scenarios.