CVE-2026-14737
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A SQL injection vulnerability was found in Hanwang e-Face General Management Platform 6.3.5.4 in the file /sysAuthStr/querySysAuthStr.do. An attacker can remotely manipulate the order argument, leading to SQL injection. The exploit is publicly available.
Risk Assessment
The organization is at risk of remote database compromise, potentially leading to data leakage or unauthorized modification.
Recommendation
Immediately update the platform to the latest version or apply temporary mitigations such as input validation and parameterized queries.
Original NVD description (English source)
A vulnerability was identified in Hanwang e-Face General Management Platform 6.3.5.4. This impacts an unknown function of the file /sysAuthStr/querySysAuthStr.do. The manipulation of the argument order leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

