{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9551/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9551"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Parking Management System 停车场管理系统 6.2.0"],"_cs_severities":["high"],"_cs_tags":["cve-2026-9551","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Das"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-9551, affects Das Parking Management System 停车场管理系统 version 6.2.0. The vulnerability resides within the \u003ccode\u003exp_cmdshell\u003c/code\u003e function of the \u003ccode\u003eParkingRecord/ExportParkingRecords\u003c/code\u003e file, specifically in the API Endpoint component. An attacker can remotely exploit this vulnerability by manipulating the \u003ccode\u003eValue\u003c/code\u003e argument, injecting malicious SQL commands. Publicly available exploit code exists, increasing the risk of exploitation. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies the vulnerable API endpoint \u003ccode\u003e/ParkingRecord/ExportParkingRecords\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the API endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003eValue\u003c/code\u003e argument designed to inject SQL commands into the application\u0026rsquo;s database query.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without proper sanitization of the \u003ccode\u003eValue\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands are executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database or modifies existing data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003exp_cmdshell\u003c/code\u003e to execute arbitrary operating system commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9551 allows an attacker to execute arbitrary SQL commands on the affected system. This can lead to unauthorized access to sensitive data, modification of data, or complete system compromise through operating system command execution via \u003ccode\u003exp_cmdshell\u003c/code\u003e. The absence of vendor response exacerbates the risk, potentially leading to widespread exploitation if left unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-9551 Exploitation Attempt via SQL Injection\u003c/code\u003e to identify exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/ParkingRecord/ExportParkingRecords\u003c/code\u003e containing SQL injection payloads (see Sigma rule and webserver logs).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eValue\u003c/code\u003e argument in the \u003ccode\u003eParkingRecord/ExportParkingRecords\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of \u003ccode\u003exp_cmdshell\u003c/code\u003e if not required to prevent command execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T15:21:31Z","date_published":"2026-05-26T15:21:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9551-sql-injection/","summary":"A SQL injection vulnerability exists in Das Parking Management System 停车场管理系统 version 6.2.0 allowing a remote attacker to execute arbitrary SQL commands by manipulating the Value argument in the xp_cmdshell function of the ParkingRecord/ExportParkingRecords API endpoint.","title":"Das Parking Management System 停车场管理系统 SQL Injection Vulnerability (CVE-2026-9551)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9551-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-9551","version":"https://jsonfeed.org/version/1.1"}