CVE-2026-1546

Name of the Vulnerable Software and Affected Versions jishenghua jshERP versions up to 3.6

Description A security issue exists in jishenghua jshERP. The getBillItemByParam function within the com.jsh.erp.datasource.mappers.DepotItemMapperEx component, specifically in the file /jshERP-boot/depotItem/importItemExcel, is susceptible to SQL injection. Manipulation of the barCodes argument can trigger this issue, and remote exploitation is possible. The exploit has been publicly disclosed.

Recommendations Versions up to 3.6: Address the SQL injection issue in the getBillItemByParam function of the com.jsh.erp.datasource.mappers.DepotItemMapperEx component. As a temporary workaround, restrict or carefully sanitize input to the barCodes argument.