CVE-2026-1121
published 2026-01-18CVE-2026-1121: A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.4th percentile
A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| undici | undici | >= 0 < 6.24.0 | 6.24.0 |
| undici | undici | >= 7.0.0 < 7.24.0 | 7.24.0 |
| yonyou | ksoa | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Undici has CRLF Injection in undici via `upgrade` option
ghsa·2026-03-13
CVE-2026-1527 [MEDIUM] CWE-93 Undici has CRLF Injection in undici via `upgrade` option
Undici has CRLF Injection in undici via `upgrade` option
### Impact
When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r\n`) to:
1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:
```javascript
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
```
### Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
### Workarounds
Sanitize the `upgrade` option
GHSA
GHSA-x4w4-c97j-2px5: A vulnerability was found in Yonyou KSOA 9
ghsa_unreviewed·2026-01-18
CVE-2026-1121 [MEDIUM] CWE-74 GHSA-x4w4-c97j-2px5: A vulnerability was found in Yonyou KSOA 9
A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Red Hat
undici: Undici: HTTP header injection and request smuggling vulnerability
vendor_redhat·2026-03-12·CVSS 4.6
CVE-2026-1527 [MEDIUM] CWE-93 undici: Undici: HTTP header injection and request smuggling vulnerability
undici: Undici: HTTP header injection and request smuggling vulnerability
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
* Inject arbitrary HTTP headers
* Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
A flaw was found in undici, a Node.js HTTP/1.1 client. This vulnerability allows a remote attacker to inject malicious data into HTTP headers or prematurely end HTTP requests by
No detection rules found.
No public exploits indexed.
2026-01-18
Published