Submit #739688: https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injectioninfo

Titlehttps://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection
DescriptionIn MyBatis when accessing interface "com.jsh.erp.datasource.mappers.DepotItemMapperEx#getBillItemByParam", there is direct replacement concatenation using ${}. Construct a special Excel file and place the attack fields into it. By sending the file through request route "/jshERP-boot/depotItem/importItemExcel", the attack fields are injected into the SQL statement without being validated or sanitized, leading to a risk.
Source⚠️ https://github.com/jishenghua/jshERP/issues/145
User
 mukyuuhate (UID 93052)
Submission01/15/2026 11:30 (5 months ago)
Moderation01/28/2026 16:26 (13 days later)
StatusAccepted
VulDB entry343230 [jishenghua jshERP up to 3.6 com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam barCodes sql injection]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!