Vulnerabilities ›

CVE-2026-7060

High

CWE-74 — Weakness Type

                    Published: Apr 26, 2026                      ·  Modified: May 3, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A vulnerability was determined in liyupi yu-picture up to a053632c41340152bf75b66b3c543d129123d8ec. This impacts the function PageRequest of the file yu-picture-backend/src/main/java/com/yupi/yupicturebackend/service/impl/PictureServiceImpl.java of the component MyBatis-Plus. Executing a manipulation of the argument sortField can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Applying a patch is advised to resolve this issue. The project was informed of the problem early through a pull request but has not reacted yet.

🤖 AI Executive Summary

A SQL injection vulnerability exists in liyupi yu-picture's MyBatis-Plus component through the sortField parameter in PageRequest function, allowing remote code execution. The vulnerability affects the picture service implementation and has been publicly disclosed with no patch currently available.

📄 Description (Arabic)

ثغرة حقن SQL في مكون MyBatis-Plus الخاص بتطبيق yu-picture تسمح للمهاجمين بتنفيذ استعلامات SQL عشوائية عبر معامل sortField. يمكن استغلال هذه الثغرة عن بعد دون الحاجة إلى مصادقة، مما يهدد سرية وتكامل البيانات المخزنة في قاعدة البيانات.

🤖 ملخص تنفيذي (AI)

ثغرة حقن SQL موجودة في مكون MyBatis-Plus الخاص بـ liyupi yu-picture عبر معامل sortField في دالة PageRequest، مما يسمح بتنفيذ الأوامر عن بعد. تؤثر الثغرة على خدمة الصور وتم الكشف عنها علناً بدون توفر تصحيح حالياً.

🤖 AI Intelligence Analysis Analyzed: May 6, 2026 05:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1083 T1005

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade to a patched version once available; implement input validation and parameterized queries for all sortField parameters; apply Web Application Firewall (WAF) rules to detect and block SQL injection attempts; conduct code review of MyBatis-Plus implementations; restrict database user permissions to minimum required privileges.

🔧 خطوات المعالجة (العربية)

قم بالترقية الفورية إلى نسخة مصححة عند توفرها؛ طبق التحقق من صحة المدخلات والاستعلامات المعاملة لجميع معاملات sortField؛ طبق قواعد جدار حماية تطبيقات الويب للكشف عن محاولات حقن SQL؛ أجرِ مراجعة شاملة للأكواد التي تستخدم MyBatis-Plus؛ قيد صلاحيات مستخدم قاعدة البيانات بالحد الأدنى المطلوب.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC-1.1 ECC-1.2 ECC-2.1

🔵 SAMA CSF

ID.RA-1 PR.DS-1 PR.DS-2

🟡 ISO 27001:2022

A.12.2.1 A.13.1.1 A.14.2.1

🔗 References & Sources 6

🔗

https://github.com/liyupi/yu-picture/

cna@vuldb.com

🔗

https://github.com/liyupi/yu-picture/issues/4

cna@vuldb.com

🔗

https://github.com/liyupi/yu-picture/pull/3

cna@vuldb.com

🔗

https://vuldb.com/submit/798612

cna@vuldb.com

🔗

https://vuldb.com/vuln/359633

cna@vuldb.com

🔗

https://vuldb.com/vuln/359633/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-74

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-04-26

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-7060

💬 Comments

Introduce Yourself

Sign In Required