CVE-2026-7060: SQL Injection in liyupi yu-picture
CVE-2026-7060 is a medium severity SQL injection vulnerability in the liyupi yu-picture application, specifically in the PageRequest function of PictureServiceImpl. java. The issue arises from unsafe manipulation of the sortField argument, allowing remote attackers to inject SQL commands. The vulnerability has been publicly disclosed, but no official patch or remediation has been released yet. The project maintainers have been informed but have not responded. Exploitation could lead to unauthorized database access or manipulation.
AI Analysis
Technical Summary
The vulnerability CVE-2026-7060 affects liyupi yu-picture up to commit a053632c41340152bf75b66b3c543d129123d8ec. It is located in the PageRequest function within yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java, which uses MyBatis-Plus. Improper handling of the sortField argument allows an attacker to perform SQL injection remotely without authentication. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity) with network attack vector, low complexity, no privileges required, and no user interaction needed. No official patch or fix is currently available, and the vendor has not reacted to early reports.
Potential Impact
Successful exploitation of this vulnerability can allow remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or disruption of service. Since no patch is available and the product lacks versioning, affected users cannot currently remediate via updates. The exploit has been publicly disclosed, increasing the risk of exploitation.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should monitor the vendor's communications for updates and consider implementing temporary mitigations such as input validation or restricting access to the vulnerable function if possible. Since the vendor has not yet responded to the issue, caution and defensive coding practices are advised until a fix is released. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-7060: SQL Injection in liyupi yu-picture
Description
CVE-2026-7060 is a medium severity SQL injection vulnerability in the liyupi yu-picture application, specifically in the PageRequest function of PictureServiceImpl. java. The issue arises from unsafe manipulation of the sortField argument, allowing remote attackers to inject SQL commands. The vulnerability has been publicly disclosed, but no official patch or remediation has been released yet. The project maintainers have been informed but have not responded. Exploitation could lead to unauthorized database access or manipulation.
CVSS v4.0
Score 6.9medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-7060 affects liyupi yu-picture up to commit a053632c41340152bf75b66b3c543d129123d8ec. It is located in the PageRequest function within yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java, which uses MyBatis-Plus. Improper handling of the sortField argument allows an attacker to perform SQL injection remotely without authentication. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity) with network attack vector, low complexity, no privileges required, and no user interaction needed. No official patch or fix is currently available, and the vendor has not reacted to early reports.
Potential Impact
Successful exploitation of this vulnerability can allow remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or disruption of service. Since no patch is available and the product lacks versioning, affected users cannot currently remediate via updates. The exploit has been publicly disclosed, increasing the risk of exploitation.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should monitor the vendor's communications for updates and consider implementing temporary mitigations such as input validation or restricting access to the vulnerable function if possible. Since the vendor has not yet responded to the issue, caution and defensive coding practices are advised until a fix is released. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-26T01:19:00.706Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ee75ceba26a39fba5bc32e
Added to database: 4/26/2026, 8:30:06 PM
Last enriched: 5/4/2026, 7:29:20 AM
Last updated: 6/11/2026, 9:24:11 AM
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.