CVE-2026-2122

Name of the Vulnerable Software and Affected Versions Xiaopi Panel versions prior to 20260127

Description A security flaw exists in Xiaopi Panel. The issue impacts an unknown function of the file /demo.php within the WAF Firewall component. Manipulation of the ID argument can lead to SQL injection, allowing for remote attacks. The exploit has been publicly released. The vendor was contacted but did not respond.

Recommendations Versions prior to 20260127 should be updated. Restrict access to the file /demo.php as a temporary mitigation. Avoid using the ID parameter in the affected component until the issue is resolved.