CVE-2026-51821

Shenzhou Shihan · Video Conference System

A SQL injection vulnerability in the /user/getUserLogin endpoint of Shenzhou Shihan Video Conference System v.1.0 allows unauthenticated remote attackers to execute arbitrary code.

Executive summary

A critical SQL injection vulnerability in the Shenzhou Shihan Video Conference System allows unauthenticated remote attackers to achieve arbitrary code execution.

Vulnerability

This is a SQL injection vulnerability within the /user/getUserLogin endpoint. An unauthenticated attacker can supply malicious input to this endpoint to manipulate database queries, which can ultimately lead to arbitrary code execution on the underlying host.

Business impact

The CVSS score of 9.8 classifies this as a critical vulnerability. Successful exploitation grants an attacker full control over the affected system, potentially leading to total data compromise, unauthorized access to sensitive video conference metadata, and complete system takeover. Immediate remediation is required to prevent total compromise of the infrastructure.

Remediation

Immediate Action: Check the vendor advisory at https://github.com/advisories/GHSA-pr6g-rx9p-2cw6 for the latest patches and apply them immediately.

Proactive Monitoring: Monitor web server logs for suspicious SQL injection patterns, such as unusual characters or SQL keywords in requests directed at the /user/getUserLogin endpoint.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block SQL injection attempts targeting the affected endpoint.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This is a critical flaw that requires immediate attention. Until a patch is confirmed and applied, administrators must restrict public network access to the /user/getUserLogin endpoint and implement strict WAF filtering to prevent potential exploitation.