CVE-2026-4594

HIGH NVD

CVSS Score 7.3

Severity HIGH

Published Mar 23, 2026

Vendor unknown

Description

A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

https://fx4tqqfvdw4.feishu.cn/docx/ETWUdbPk1oCC56xoEWHc3Q28nEc?from=from_copylink
https://vuldb.com/?ctiid.352431
https://vuldb.com/?id.352431
https://vuldb.com/?submit.775594