CVE-2026-1132
Published: 19 January 2026
Summary
CVE-2026-1132 is a medium-severity Injection (CWE-74) vulnerability in Yonyou Ksoa. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-1132 is a SQL injection vulnerability (CWE-74, CWE-89) in Yonyou KSOA 9.0. It affects an unknown function within the file /kmf/edit_folder.jsp, specifically the HTTP GET Parameter Handler component, where manipulation of the folderid argument triggers the injection.
The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks result in low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding an overall CVSS v3.1 base score of 7.3 in an unchanged scope (S:U). A public exploit exists and could be used.
References, including a GitHub issue and VulDB entries, indicate the vendor was contacted early regarding disclosure but provided no response. No patches or official mitigations are detailed in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3250
Vulnerability details
A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can…
more
be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via SQL injection in an unauthenticated HTTP GET parameter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation and sanitization of all inputs (e.g., folderid GET parameter) to block SQL injection payloads before they reach the database.
Enforces access-control policy so that unauthenticated or unauthorized subjects cannot invoke the vulnerable /kmf/edit_folder.jsp endpoint at all.
Boundary-protection mechanisms such as WAF rules or input-filtering gateways can inspect and drop SQL-injection attempts targeting the folderid parameter.