PT-2026-1775 · Yshopmall · Yshopmall
Mukyuuhate
·
Published
2026-01-09
·
Updated
2026-01-09
·
CVE-2025-15496
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
guchengwuyue yshopmall versions up to 1.9.1
Description
A flaw exists in the
getPage function within the /api/jobs file that allows for SQL injection through manipulation of the sort argument. This issue can be exploited remotely. The exploit is publicly available. The project maintainers were notified but have not yet responded.Recommendations
Versions up to 1.9.1 should be updated when a fix becomes available. As a temporary workaround, restrict access to the
/api/jobs file or disable the getPage function until a patch is available.Exploit
Fix
SQL injection
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Yshopmall