CVE-2022-4984
ZenTao Biz < 6.5, Max < 3.0, & Open Source Edition 16.5/16.5beta1 SQL Injection via user-login.html
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- November 13, 2025
- Published Date
- November 13, 2025
- Last Updated
- May 14, 2026
- Vendor
- Qingdao Esoft Tianchuang Network Technology Co., Ltd.
- Product
- ZenTao Biz, ZenTao Max, ZenTao Open Source Edition
- Description
- ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.
CVSS Scores
CVSS v4.0
8.7 - HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC Information
- Exploitation
- none
- Automatable
- Yes
- Technical Impact
- partial
Exploit Status
- Exploited in the Wild
- Yes (2026-01-24 00:00:00 UTC) Source
References
https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html
https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html
https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html
https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html
https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-01-24 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel