CVE-2026-1123
Published: 18 January 2026
Summary
CVE-2026-1123 is a medium-severity Injection (CWE-74) vulnerability in Yonyou Ksoa. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-1123 is a SQL injection vulnerability (CWE-74, CWE-89) in Yonyou KSOA 9.0. The flaw affects an unknown function in the file /worksheet/work_mod.jsp within the HTTP GET Parameter Handler component, where manipulation of the ID argument enables SQL injection.
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low-level impacts on confidentiality, integrity, and availability through SQL injection.
VulDB advisories and a GitHub issue (https://github.com/LX-66-LX/cve/issues/9, https://vuldb.com/?ctiid.341715, https://vuldb.com/?id.341715, https://vuldb.com/?submit.734550) document the issue, confirming a publicly available exploit. The vendor was contacted early for disclosure but provided no response, and no patches or mitigations are specified.
A public exploit exists and might be used in attacks, with the vulnerability published on 2026-01-18.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3177
Vulnerability details
A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely.…
more
The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application component directly enables exploitation of a public-facing app for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the ID HTTP GET parameter to block the SQL injection payload in work_mod.jsp.
Enforces access-control policy on the database so that even a successful injection cannot perform unauthorized read/write actions.
Enables monitoring and anomaly detection on database queries or web requests that exhibit SQL-injection patterns against the exposed endpoint.