PatchSiren cyber security CVE debrief
CVE-2026-11456 Chanjet CVE debrief
A SQL injection vulnerability was identified in Chanjet CRM 1.0, specifically in the /tools/jxf_dump_systable.php file. The vulnerability is caused by manipulation of the argument gblOrgID, which leads to SQL injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- Chanjet
- Product
- CRM
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-07
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-07
- Advisory updated
- 2026-06-08
Who should care
Users of Chanjet CRM 1.0 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a lack of proper input validation in the /tools/jxf_dump_systable.php file. An attacker can inject malicious SQL code by manipulating the gblOrgID argument, which can lead to unauthorized access to sensitive data.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Use prepared statements with parameterized queries to prevent SQL injection.
- Limit access to the /tools/jxf_dump_systable.php file to only authorized users.
- Monitor the system for suspicious activity.
Evidence notes
The vulnerability was identified by an unknown source and was published on June 7, 2026. The CVE record was created on June 7, 2026, and was last modified on June 8, 2026.
Official resources
CVE-2026-11456 was published on 2026-06-07T09:16:21.673Z and was last modified on 2026-06-08T14:57:14.757Z.