CVE-2020-7356

CRITICAL

CAYIN xPost - Unauthenticated SQL Injection via wayfinder_seqid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7356. PoCs published by h00die, Gjoko Krstic (LiquidWorm) <[email protected]>, including Metasploit module exploits/windows/http/cayin_xpost_sql_rce.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated SQL injection in Cayin xPost <=2.5 via the wayfinder_seqid parameter, leading to remote code execution by writing a JSP payload to disk and triggering it.

Description

CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.

Exploits (1)

metasploit WORKING POC EXCELLENT
by h00die, Gjoko Krstic (LiquidWorm) <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/cayin_xpost_sql_rce.rb

This Metasploit module exploits an unauthenticated SQL injection in Cayin xPost <=2.5 via the wayfinder_seqid parameter, leading to remote code execution by writing a JSP payload to disk and triggering it.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cayin xPost <=2.5
No auth needed
Prerequisites: Network access to the target · Default or known webroot path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
Patch, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/13607

Scores

CVSS v3 10.0
EPSS 0.1401
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Details

CWE
CWE-89
Status published
Products (3)
cayintech/xpost 1.0
cayintech/xpost 2.0
cayintech/xpost 2.5.18103
Published Aug 06, 2020
Tracked Since Feb 18, 2026