Submit #782969: AutohomeCorp frostmourne <= 1.0 SQL Injectioninfo

TitleAutohomeCorp frostmourne <= 1.0 SQL Injection
DescriptionFrostmourne Monitor contains a MySQL dynamic SQL injection vulnerability in the alarm preview/query flow. The metricContract.queryString value is treated as trusted SQL and is directly concatenated into backend queries without parameterization or whitelist validation. An authenticated attacker who can access the alarm preview functionality can first enumerate an available MySQL data name and then supply arbitrary SQL expressions that are executed by the server against the corresponding MySQL data source.
Source⚠️ https://fx4tqqfvdw4.feishu.cn/docx/M0u0dPZmZosY9Ax6OsScJ3Blnxf?from=from_copylink
User
 xcxr (UID 86629)
Submission03/19/2026 13:15 (18 days ago)
Moderation04/04/2026 16:09 (16 days later)
StatusAccepted
VulDB entry355333 [AutohomeCorp frostmourne up to 1.0 Alarm Preview previewData httpTest sql injection]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!