{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1050", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-16T16:43:18.763Z", "datePublished": "2026-01-17T18:02:05.805Z", "dateUpdated": "2026-02-26T15:56:28.394Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:33:24.762Z"}, "title": "risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "risesoft-y9", "product": "Digital-Infrastructure", "versions": [{"version": "9.6.0", "status": "affected"}, {"version": "9.6.1", "status": "affected"}, {"version": "9.6.2", "status": "affected"}, {"version": "9.6.3", "status": "affected"}, {"version": "9.6.4", "status": "affected"}, {"version": "9.6.5", "status": "affected"}, {"version": "9.6.6", "status": "affected"}, {"version": "9.6.7", "status": "affected"}], "modules": ["REST Authenticate Endpoint"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-16T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-16T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-18T00:39:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.341603", "name": "VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341603", "name": "VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731010", "name": "Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2", "tags": ["issue-tracking"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:35:48.108878Z", "id": "CVE-2026-1050", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:56:28.394Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1050", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T21:35:48.108878Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:36:20.934Z"}}], "cna": {"title": "risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "risesoft-y9", "modules": ["REST Authenticate Endpoint"], "product": "Digital-Infrastructure", "versions": [{"status": "affected", "version": "9.6.0"}, {"status": "affected", "version": "9.6.1"}, {"status": "affected", "version": "9.6.2"}, {"status": "affected", "version": "9.6.3"}, {"status": "affected", "version": "9.6.4"}, {"status": "affected", "version": "9.6.5"}, {"status": "affected", "version": "9.6.6"}, {"status": "affected", "version": "9.6.7"}]}], "timeline": [{"lang": "en", "time": "2026-01-16T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-16T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-18T00:39:04.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.341603", "name": "VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341603", "name": "VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731010", "name": "Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2", "tags": ["issue-tracking"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/risesoft-y9/Digital-Infrastructure/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:33:24.762Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1050", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:56:28.394Z", "dateReserved": "2026-01-16T16:43:18.763Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-17T18:02:05.805Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en risesoft-y9 Digital-Infrastructure hasta la versi\u00f3n 9.6.7. Afecta a una funci\u00f3n desconocida del archivo source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java del componente REST Authenticate Endpoint. La ejecuci\u00f3n de una manipulaci\u00f3n puede conducir a una inyecci\u00f3n SQL. El ataque puede lanzarse de forma remota. El exploit ha sido publicado y puede ser utilizado. El proyecto fue notificado del problema con antelaci\u00f3n a trav\u00e9s de un informe de incidencias, pero a\u00fan no ha respondido."}], "id": "CVE-2026-1050", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-17T18:15:48.917", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/risesoft-y9/Digital-Infrastructure/"}, {"source": "cna@vuldb.com", "url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2"}, {"source": "cna@vuldb.com", "url": "https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.341603"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.341603"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.731010"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:34:41.171782+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched release of the Digital\u2011Infrastructure component that resolves the SQL injection in Y9PlatformUtil.java.", "If an upgrade is not immediately possible, restrict network access to the REST authentication endpoint to trusted networks only to limit exposure.", "Implement input validation or use parameterized queries in the authentication logic to prevent raw SQL construction, directly addressing the CWE\u201174/CWE\u201189 weakness."], "summary": {"action": "Apply Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected vendors/products include risesoft\u2011y9\u2019s Digital\u2011Infrastructure, versions up to and including 9.6.7. No specific sub\u2011version enumeration is provided beyond the maximum affected version; any release 9.6.7 or earlier is vulnerable.", "description_and_impact": "The vulnerability is a SQL injection flaw in the REST authentication endpoint of the risesoft\u2011y9 Digital\u2011Infrastructure component, specifically in Y9PlatformUtil.java. It allows attackers to inject arbitrary SQL during remote authentication requests, potentially leading to data disclosure or unauthorized data manipulation. The weakness is classified under CWE\u201174 and CWE\u201189, exposing confidentiality and integrity of database contents.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. EPSS is below 1\u202f% yet an exploit has been published, implying that while low probability of mass exploitation remains, the vulnerability can be leveraged remotely by sending crafted authentication requests. Monitor for unauthenticated or suspicious POST requests to the authentication endpoint, as exploitation requires no prior credentials."}}}}, "created": "2026-01-19T09:18:57.031428+00:00", "updated": "2026-04-18T05:45:38.166122+00:00", "vendors": ["risesoft-y9", "risesoft-y9$PRODUCT$digital-infrastructure"]}