CVE-2026-5147: SQL Injection in YunaiV yudao-cloud
CVE-2026-5147 is a medium severity SQL injection vulnerability in YunaiV yudao-cloud version 2026. 01. The flaw exists in the /admin-api/system/tenant/get-by-website endpoint, where manipulation of the Website argument allows remote attackers to perform SQL injection. The vulnerability has a CVSS 4. 0 base score of 6. 9. The vendor has not responded to disclosure attempts, and no patch or official remediation is currently available. Public exploit code has been released, but no known exploitation in the wild has been reported.
AI Analysis
Technical Summary
This vulnerability involves an SQL injection in the YunaiV yudao-cloud product up to version 2026.01. Specifically, the injection point is in the /admin-api/system/tenant/get-by-website API endpoint, where the Website parameter is not properly sanitized, allowing remote attackers to inject SQL commands. The vulnerability is remotely exploitable without authentication and has a CVSS 4.0 score of 6.9, indicating medium severity. The vendor has not issued a fix or advisory, and no patch links are available. Exploit code has been publicly released, increasing the risk of potential attacks.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database via the Website parameter. This could lead to unauthorized data access, modification, or other database impacts depending on the database privileges. However, the vulnerability is rated medium severity with low vector and impact complexity, and no known active exploitation has been reported.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor, and the vendor has not responded to disclosure attempts. Users should monitor the vendor's communications for any future updates or patches. Until a fix is released, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the /admin-api/system/tenant/get-by-website endpoint. Restricting access to this API endpoint to trusted networks or authenticated users may also reduce exposure.
CVE-2026-5147: SQL Injection in YunaiV yudao-cloud
Description
CVE-2026-5147 is a medium severity SQL injection vulnerability in YunaiV yudao-cloud version 2026. 01. The flaw exists in the /admin-api/system/tenant/get-by-website endpoint, where manipulation of the Website argument allows remote attackers to perform SQL injection. The vulnerability has a CVSS 4. 0 base score of 6. 9. The vendor has not responded to disclosure attempts, and no patch or official remediation is currently available. Public exploit code has been released, but no known exploitation in the wild has been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves an SQL injection in the YunaiV yudao-cloud product up to version 2026.01. Specifically, the injection point is in the /admin-api/system/tenant/get-by-website API endpoint, where the Website parameter is not properly sanitized, allowing remote attackers to inject SQL commands. The vulnerability is remotely exploitable without authentication and has a CVSS 4.0 score of 6.9, indicating medium severity. The vendor has not issued a fix or advisory, and no patch links are available. Exploit code has been publicly released, increasing the risk of potential attacks.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database via the Website parameter. This could lead to unauthorized data access, modification, or other database impacts depending on the database privileges. However, the vulnerability is rated medium severity with low vector and impact complexity, and no known active exploitation has been reported.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor, and the vendor has not responded to disclosure attempts. Users should monitor the vendor's communications for any future updates or patches. Until a fix is released, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the /admin-api/system/tenant/get-by-website endpoint. Restricting access to this API endpoint to trusted networks or authenticated users may also reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-03-30T13:23:47.648Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69caca21e6bfc5ba1d5f423b
Added to database: 3/30/2026, 7:08:17 PM
Last enriched: 4/7/2026, 10:57:45 AM
Last updated: 5/15/2026, 5:07:41 AM
Views: 86
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.