This vulnerability exists in the getDataBySQL function of the yudao-cloud product by YunaiV, specifically in version 2026.01. The flaw allows remote attackers to perform SQL injection by manipulating input to the affected function, potentially compromising database integrity or confidentiality. The vendor was notified but did not respond, and no official fix or patch is currently available. Exploit code is publicly accessible, increasing the risk of exploitation.

Successful exploitation could allow an attacker with low privileges to execute arbitrary SQL commands remotely, potentially leading to unauthorized data access or modification. The impact is limited by the low complexity and no user interaction required, but the vulnerability has low scope and vector complexity, resulting in a medium severity rating.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should consider implementing application-level input validation and SQL query parameterization as temporary mitigations to reduce risk until an official patch is released.