Cyber Resilience

CVE-2024-58352

HighPublic PoC

Published: 02 July 2026

Published
02 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-58352 is a high-severity SQL Injection: Hibernate (CWE-564) vulnerability in Csdn (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization…

more

in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC).

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-8052Shared CWE-564
CVE-2026-4594Shared CWE-564
CVE-2025-0959Shared CWE-564
CVE-2026-40871Shared CWE-564

Affected Assets

Csdn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References