CVE-2026-7060

Name of the Vulnerable Software and Affected Versions liyupi yu-picture versions prior to a053632c41340152bf75b66b3c543d129123d8ec

Description Remote SQL injection is possible via the sortField argument in the PageRequest() function within the MyBatis-Plus component of the yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java file. SQL injection is a technique where an attacker inserts malicious SQL code into a query, allowing them to manipulate the database.

Recommendations Apply the available patch to resolve the issue. As a temporary workaround, restrict or validate the input of the sortField argument used in the PageRequest() function.