| Title | 648540858 (GitHub) wvp-GB28181-pro master branch — commit to be confirmed (see repository for latest hash) SQL Injection |
|---|
| Description | A SQL injection vulnerability exists in the stream proxy list endpoint of wvp-GB28181-pro. The `query` parameter passed to `GET /api/proxy/list` is incorporated into a dynamically constructed SQL statement via direct string concatenation without parameterization. An authenticated attacker can inject arbitrary SQL to extract sensitive data from the database, including credentials.
|
|---|
| Source | ⚠️ https://github.com/bybinyu/Vulnerability-Practice/issues/9 |
|---|
| User | binyu (UID 96262) |
|---|
| Submission | 03/15/2026 07:34 (4 months ago) |
|---|
| Moderation | 03/30/2026 21:01 (16 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 352435 [648540858 wvp-GB28181-pro up to 2.7.4 Stream Proxy Query StreamProxyProvider.java selectAll sql injection] |
|---|
| Points | 0 |
|---|