PatchSiren cyber security CVE debrief
CVE-2026-9544 Shenzhen Sixun Software CVE debrief
A SQL injection vulnerability exists in the Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 10. The vulnerability is located in the `/api/Dinner/PayConfig` endpoint, where the `tableno` parameter is susceptible to injection attacks. The issue allows remote attackers to manipulate SQL queries through crafted input to this parameter. The vulnerability has been publicly disclosed with proof-of-concept material available. The vendor was contacted prior to disclosure but did not respond. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and low impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in an SQL Command).
- Vendor
- Shenzhen Sixun Software
- Product
- Sixun Shanghui Group Business Management System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations operating Sixun Shanghui Group Business Management System version 10; security teams managing hospitality or retail business management platforms; defenders responsible for API security and SQL injection prevention
Technical summary
The Sixun Shanghui Group Business Management System 10 contains a SQL injection vulnerability in its dinner payment configuration API. The `/api/Dinner/PayConfig` endpoint fails to properly sanitize the `tableno` parameter before incorporating it into SQL queries. This allows remote unauthenticated attackers to inject arbitrary SQL commands, potentially enabling unauthorized data access, modification, or deletion. The attack requires no privileges and has low complexity. Public exploit material increases immediate risk. Vendor has not acknowledged or patched the vulnerability as of disclosure date.
Defensive priority
medium
Recommended defensive actions
- Review and restrict network access to the `/api/Dinner/PayConfig` endpoint if possible
- Implement parameterized queries or prepared statements for all database interactions involving the `tableno` parameter
- Apply input validation and sanitization on the `tableno` parameter to reject unexpected characters and patterns
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint
- Monitor application logs for anomalous queries or error patterns indicative of injection attempts
- Contact Shenzhen Sixun Software for patch availability and vendor security response
- Consider network segmentation to limit exposure of business management system interfaces
Evidence notes
Vulnerability disclosed through VulDB with public proof-of-concept documentation hosted on Feishu platform. Vendor non-responsive to disclosure attempts.
Official resources
public