Cyber Resilience

CVE-2026-2820

Medium

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2820 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2820 is a SQL injection vulnerability (CWE-74, CWE-89) affecting the Fujian Smart Integrated Management Platform System up to version 7.5. The issue arises in the processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx, where manipulation of the DeviceIDS argument enables SQL injection. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as high severity.

The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Attackers can manipulate the DeviceIDS parameter to inject malicious SQL, potentially compromising the underlying database with low impacts on confidentiality, integrity, and availability.

Advisories documented on VulDB (ctiid.346945, id.346945, submit.753397) detail the flaw, while GitHub repositories provide an introduction and a public proof-of-concept exploit script (poc.py). No specific patches or mitigation steps are described in the referenced sources.

The exploit has been publicly released, facilitating potential real-world attacks against affected systems.

EU & UK References

Vulnerability details

A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be…

more

launched remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible unauthenticated web handler (.ashx) directly enables exploitation of a public-facing application (T1190) for database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including the DeviceIDS parameter) to reject malformed or malicious SQL syntax before it reaches the database.

prevent

Limits the privileges of the database account used by XAccessPermissionPlus.ashx so that a successful injection cannot read or modify arbitrary data.

detect

Enables monitoring of web-application and database query logs to identify anomalous SQL patterns originating from the vulnerable .ashx endpoint.

References