CVE-2026-9551 Das CVE debrief

Who should care

Organizations operating Das Parking Management System 停车场管理系统 version 6.2.0; security teams managing parking management infrastructure; database administrators responsible for SQL Server instances with xp_cmdshell enabled; incident response teams monitoring for SQL injection attacks against API endpoints

Technical summary

The vulnerability resides in the xp_cmdshell function implementation within the ParkingRecord/ExportParkingRecords API endpoint of Das Parking Management System 6.2.0. Insufficient input validation on the 'Value' parameter enables SQL injection, potentially allowing attackers to execute arbitrary SQL commands including operating system commands through xp_cmdshell. The attack can be conducted remotely without authentication. The presence of xp_cmdshell suggests potential for command execution beyond standard SQL injection impacts. Public exploit availability increases immediate risk exposure.

Defensive priority

medium

Recommended defensive actions

• Review and restrict network access to the ParkingRecord/ExportParkingRecords API endpoint
• Implement parameterized queries or prepared statements to replace dynamic SQL in the xp_cmdshell function
• Apply input validation and sanitization on the 'Value' parameter
• Monitor database logs for suspicious xp_cmdshell invocations and unauthorized command execution
• Contact vendor for security patch availability given non-response to initial disclosure
• Consider Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting this endpoint

Evidence notes

Vulnerability identified in Das Parking Management System 6.2.0; affects xp_cmdshell function in ParkingRecord/ExportParkingRecords API endpoint; SQL injection via 'Value' parameter manipulation; remote attack vector; exploit publicly available; vendor non-responsive to disclosure; NVD status 'Deferred'; CVSS 4.0 score 5.5 (MEDIUM); CWE-74 and CWE-89 identified as weakness types.

Official resources