CVE-2026-7699

Summary

A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
DromaraMaxKey3.5.0affected
DromaraMaxKey3.5.1affected
DromaraMaxKey3.5.2affected
DromaraMaxKey3.5.3affected
DromaraMaxKey3.5.4affected
DromaraMaxKey3.5.5affected
DromaraMaxKey3.5.6affected
DromaraMaxKey3.5.7affected
DromaraMaxKey3.5.8affected
DromaraMaxKey3.5.9affected
DromaraMaxKey3.5.10affected
DromaraMaxKey3.5.11affected
DromaraMaxKey3.5.12affected
DromaraMaxKey3.5.13affected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References