CVE-2025-10090

HIGH EXPLOITED NUCLEI

Jinher OA < 1.2 - Injection

Title source: rule

Description

A flaw has been found in Jinher OA up to 1.2. The impacted element is an unknown function of the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

Exploits (1)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/JinherOA-CVE-2025-10090-sqlInjection.py

View Code ZIP pw:eip

Nuclei Templates (1)

Jinher OA - SQL Injection

HIGHVERIFIEDby DhiyaneshDk

FOFA: app="金和网络-金和OA"||body="/jc6/platform/sys/login"

References (4)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/Cstarplus/CVE/issues/1

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.323045

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.323045

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.644635

Scores

CVSS v3 7.3

EPSS 0.0127

EPSS Percentile 79.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

VulnCheck KEV 2026-03-31

CWE

CWE-74 CWE-89

Status published

Products (1)

jinher/jinher_oa < 1.2

Published Sep 08, 2025

Tracked Since Feb 18, 2026