PT-2026-29101 · Yunaiv · Yudao-Cloud

Narcher

Published

2026-03-30

Updated

2026-03-31

CVE-2026-5147

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions YunaiV yudao-cloud versions prior to 2026.01

Description A security flaw has been discovered in YunaiV yudao-cloud. The issue affects an unknown part of the file /admin-api/system/tenant/get-by-website. Manipulation of the Website argument results in SQL injection. The attack can be launched remotely. The exploit has been publicly released. The vendor was contacted about this disclosure but did not respond.

Recommendations Versions prior to 2026.01 should be updated. As a temporary workaround, restrict access to the /admin-api/system/tenant/get-by-website endpoint. Avoid using the Website parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2026-5147

Affected Products

Yudao-Cloud

PT-2026-29101 · Yunaiv · Yudao-Cloud

CVE-2026-5147

Weakness Enumeration

Related Identifiers

Affected Products

References · 8