CVE-2026-2820
Published: 20 February 2026
Summary
CVE-2026-2820 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-2820 is a SQL injection vulnerability (CWE-74, CWE-89) affecting the Fujian Smart Integrated Management Platform System up to version 7.5. The issue arises in the processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx, where manipulation of the DeviceIDS argument enables SQL injection. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as high severity.
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Attackers can manipulate the DeviceIDS parameter to inject malicious SQL, potentially compromising the underlying database with low impacts on confidentiality, integrity, and availability.
Advisories documented on VulDB (ctiid.346945, id.346945, submit.753397) detail the flaw, while GitHub repositories provide an introduction and a public proof-of-concept exploit script (poc.py). No specific patches or mitigation steps are described in the referenced sources.
The exploit has been publicly released, facilitating potential real-world attacks against affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7622
Vulnerability details
A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be…
more
launched remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible unauthenticated web handler (.ashx) directly enables exploitation of a public-facing application (T1190) for database compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including the DeviceIDS parameter) to reject malformed or malicious SQL syntax before it reaches the database.
Limits the privileges of the database account used by XAccessPermissionPlus.ashx so that a successful injection cannot read or modify arbitrary data.
Enables monitoring of web-application and database query logs to identify anomalous SQL patterns originating from the vulnerable .ashx endpoint.