CVE-2026-7672

MEDIUM · 6.3

hype MOSTLY HYPE · 28 hack

Public PoC disclosed; pure feed automation; no defender signal or in-the-wild exploitation reported yet.

What: SQL injection in youlaitech youlai-boot getUserList endpoint (Users Controller) via argument order manipulation; affects versions ≤2.21.1; CVSS 6.3 MEDIUM.

Why it matters: Public exploit disclosure exists and vendor did not respond to early notification. However, CVE is not KEV-listed, no EPSS score available, and no evidence of active in-the-wild exploitation or mass scanning reported in social chatter. Appears to be automated CVE feed amplification rather than defender triage activity.

Where it's seen: Automated CVE alert aggregators and security feeds (CVEarity, CVEnew, VulmonFeeds, Vulmon) republishing NVD description same-day publication; no researcher analysis, PoC links, or patch advisories present in top posts.

RISK: MODERATE — SQL injection with public PoC; medium CVSS; vendor unresponsive but no evidence of widespread exploitation.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 7:15:39 AM

Public PoCs on GitHub 2 repos

hiifong/starList ★ 18 · Python
Export your star's repository list
getquoteonline/NSNPartLookup.com-Lookup-Order-NSN-NIIN-Cage-Code-Parts ★ 0
NSNPartLookup.com – Lookup & Order NSN, NIIN, Cage Code Parts

Articles & coverage 13 articles

CVE-2026-27672 - Medium Vulnerability - TheHackerWire
This vulnerability has a CVSS score of 4.3 out of 10, rated as Medium. Medium severity vulnerabilities require specific conditions to exploit
CVE-2026-26724 Detail - NVD - NIST
Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute
CVE-2026-0672 - Red Hat Customer Portal
An injection flaw has been discovered in Python. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow
CVE-2026-23672: Windows UDFS Privilege Escalation Flaw
This kernel-mode driver vulnerability enables a local attacker with low privileges to escalate their access to higher privilege levels,
NVD - CVE-2026-36767
| URL | Source(s) | Tag(s) | | --- | --- | --- | | | MITRE | | | | CISA-ADP, MITRE | | Weakness Enumeration | CWE-ID | CWE Name | Source | | --- | --- | --- | | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CISA-ADP | Change History 2 change records found show changes **CVE Modified by CISA-ADP 4/30/2026 2:16:29 PM** | Action | Type | Old Value

Page 1 of 3

› NVD details 2 CWE ·0 vendors · 4 refs expand

Description

A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Weaknesses

References