CVE-2026-4594
Published: 23 March 2026
Summary
CVE-2026-4594 is a medium-severity SQL Injection (CWE-89) vulnerability in Feishu (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4594 is a SQL injection vulnerability in the Erupt framework, versions up to 1.13.3. The issue affects the geneEruptHqlOrderBy function in the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java, where manipulation of the sort.field argument leads to SQL injection in Hibernate.
The vulnerability can be exploited remotely by unauthenticated attackers with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories from VulDB note that the exploit has been publicly disclosed and may be used, with the vendor contacted early but providing no response. No patches or specific mitigations are mentioned in the available references.
The vulnerability is associated with CWE-89 (SQL Injection) and CWE-564 (SQL Injection: Hibernate).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14475
Vulnerability details
A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the…
more
attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated SQL injection in a web framework directly enables exploitation of public-facing applications (T1190) via crafted sort.field input to Hibernate HQL.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing untrusted inputs like the sort.field argument before processing in Hibernate HQL queries.
Remediates the specific SQL injection flaw in the geneEruptHqlOrderBy function of the Erupt framework through timely patching or code fixes.
Vulnerability scanning detects SQL injection issues like CWE-89 in the Erupt framework, enabling proactive remediation before exploitation.