A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2ApplicationCWE-89CWE-74
Jinher OA GetFormSn.aspx sql injection
Problem type
Affected products
Jinher
OA
C6 - AFFECTED
References
VDB-368969 | Jinher OA GetFormSn.aspx sql injection
https://vuldb.com/vuln/368969
VDB-368969 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/368969/cti
CVE-2026-11412 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11412
Submit #819943 | Beijing Jinhe Network Co., LTD Jin and OA C6 SQL Injection
https://vuldb.com/submit/819943
github.com
https://github.com/MichaelZhuang521/cve/issues/3
GitHub Security Advisories
GHSA-5422-5257-mh57
A weakness has been identified in Jinher OA C6. The affected element is an unknown function of...
https://github.com/advisories/GHSA-5422-5257-mh57A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-11412
github.com
https://github.com/MichaelZhuang521/cve/issues/3
vuldb.com
https://vuldb.com/cve/CVE-2026-11412
vuldb.com
https://vuldb.com/submit/819943
vuldb.com
https://vuldb.com/vuln/368969
vuldb.com
https://vuldb.com/vuln/368969/cti
github.com
https://github.com/advisories/GHSA-5422-5257-mh57
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-11412Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-11412",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-06-06T11:00:12.400Z",
"dateReserved": "2026-06-05T18:38:42.901Z",
"datePublished": "2026-06-06T11:00:12.400Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-06-06T11:00:12.400Z"
},
"title": "Jinher OA GetFormSn.aspx sql injection",
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "Jinher",
"product": "OA",
"cpes": [
"cpe:2.3:a:jinher:oa:*:*:*:*:*:*:*:*"
],
"versions": [
{
"version": "C6",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "SQL Injection",
"cweId": "CWE-89",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Injection",
"cweId": "CWE-74",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/368969",
"name": "VDB-368969 | Jinher OA GetFormSn.aspx sql injection",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/368969/cti",
"name": "VDB-368969 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/cve/CVE-2026-11412",
"name": "CVE-2026-11412 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://vuldb.com/submit/819943",
"name": "Submit #819943 | Beijing Jinhe Network Co., LTD Jin and OA C6 SQL Injection",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/MichaelZhuang521/cve/issues/3",
"tags": [
"exploit",
"issue-tracking"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 6.5
}
}
],
"timeline": [
{
"time": "2026-06-05T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-06-05T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-06-06T08:55:19.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "MichaelChong (VulDB User)",
"type": "reporter"
},
{
"lang": "en",
"value": "MichaelChong (VulDB User)",
"type": "analyst"
},
{
"lang": "en",
"value": "VulDB CNA Team",
"type": "coordinator"
}
]
}
}
}