← Back
2026-06-07 7:15CVE-2026-11456VulDB
PUBLISHED5.2ApplicationCWE-89CWE-74

Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection

A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

Chanjet

CRM

1.0 - AFFECTED

References

VDB-369075 | Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection

https://vuldb.com/vuln/369075

vdb-entrytechnical-description
VDB-369075 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/369075/cti

signaturepermissions-required
CVE-2026-11456 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-11456

third-party-advisory
Submit #828375 | Chanjet Chanjet CRM V1.0 SQL Injection

https://vuldb.com/submit/828375

third-party-advisory
gist.github.com

https://gist.github.com/jikdarren/67ba9fdd2a8b619fc9a370102c317971

exploit

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-11456
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-11456",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-06-07T07:15:07.511Z",
    "dateReserved": "2026-06-06T15:58:18.190Z",
    "datePublished": "2026-06-07T07:15:07.511Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-06-07T07:15:07.511Z"
      },
      "title": "Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "Chanjet",
          "product": "CRM",
          "cpes": [
            "cpe:2.3:a:chanjet:crm:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "HTTP GET Request Handler"
          ],
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "SQL Injection",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Injection",
              "cweId": "CWE-74",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/vuln/369075",
          "name": "VDB-369075 | Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/vuln/369075/cti",
          "name": "VDB-369075 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/cve/CVE-2026-11456",
          "name": "CVE-2026-11456 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://vuldb.com/submit/828375",
          "name": "Submit #828375 | Chanjet Chanjet CRM V1.0 SQL Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://gist.github.com/jikdarren/67ba9fdd2a8b619fc9a370102c317971",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 7.3,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 7.3,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "baseScore": 7.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-06-06T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-06-06T02:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-06-06T18:03:21.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jikdarren (VulDB User)",
          "type": "reporter"
        },
        {
          "lang": "en",
          "value": "VulDB CNA Team",
          "type": "coordinator"
        }
      ]
    }
  }
}