{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2621", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-17T09:19:59.421Z", "datePublished": "2026-02-17T20:02:06.743Z", "dateUpdated": "2026-02-23T10:14:28.207Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:14:28.207Z"}, "title": "Sciyon Koyuan Thermoelectricity Heat Network Management System AsyncTreeProxy.aspx sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Sciyon", "product": "Koyuan Thermoelectricity Heat Network Management System", "versions": [{"version": "3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. This affects an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. The manipulation of the argument PGUID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-17T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T09:48:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "red88-debug (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346272", "name": "VDB-346272 | Sciyon Koyuan Thermoelectricity Heat Network Management System AsyncTreeProxy.aspx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346272", "name": "VDB-346272 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.751809", "name": "Submit #751809 | \u5357\u4eac\u79d1\u8fdc\u667a\u6167\u79d1\u6280\u96c6\u56e2\u80a1\u4efd\u6709\u9650\u516c\u53f8 Koyuan Thermoelectricity Heat Network Management System 3.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/red88-debug/CVEs/blob/main/Koyuan%20Thermoelectricity%20Heat%20Network%20Management%20System%20SQL%20Injection%20Vulnerability.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T21:07:42.505759Z", "id": "CVE-2026-2621", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:07:49.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2621", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T21:07:42.505759Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:07:44.979Z"}}], "cna": {"title": "Sciyon Koyuan Thermoelectricity Heat Network Management System AsyncTreeProxy.aspx sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "red88-debug (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Sciyon", "product": "Koyuan Thermoelectricity Heat Network Management System", "versions": [{"status": "affected", "version": "3.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-17T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T09:48:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346272", "name": "VDB-346272 | Sciyon Koyuan Thermoelectricity Heat Network Management System AsyncTreeProxy.aspx sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346272", "name": "VDB-346272 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.751809", "name": "Submit #751809 | \u5357\u4eac\u79d1\u8fdc\u667a\u6167\u79d1\u6280\u96c6\u56e2\u80a1\u4efd\u6709\u9650\u516c\u53f8 Koyuan Thermoelectricity Heat Network Management System 3.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/red88-debug/CVEs/blob/main/Koyuan%20Thermoelectricity%20Heat%20Network%20Management%20System%20SQL%20Injection%20Vulnerability.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. This affects an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. The manipulation of the argument PGUID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:14:28.207Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2621", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:14:28.207Z", "dateReserved": "2026-02-17T09:19:59.421Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-17T20:02:06.743Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. This affects an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. The manipulation of the argument PGUID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. Esto afecta una parte desconocida del archivo /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. La manipulaci\u00f3n del argumento PGUID lleva a inyecci\u00f3n SQL. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-2621", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-17T21:22:16.633", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/red88-debug/CVEs/blob/main/Koyuan%20Thermoelectricity%20Heat%20Network%20Management%20System%20SQL%20Injection%20Vulnerability.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346272"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346272"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.751809"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0,3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Koyuan Thermoelectricity Heat Network Management System", "source": "cna", "vendor": "Sciyon"}, "product": "koyuan_thermoelectricity_heat_network_management_system", "vendor": "sciyon"}], "analysis": {"en": {"generated_at": "2026-04-17T18:53:06.585051+00:00", "value": {"mitigation_remediation": ["Deploy the vendor\u2019s security patch or upgrade to a newer, non\u2011vulnerable release as soon as it becomes available.", "Restrict or block external access to the /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx endpoint for non\u2011authorized users.", "Implement strict input validation and parameterization for the PGUID field to eliminate injection vectors, addressing CWE\u201174 and CWE\u201189 weaknesses.", "Monitor database query logs for anomalous or unauthorized statements that may indicate ongoing injection attempts."], "summary": {"action": "Patch Now", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "Sciyon Koyuan Thermoelectricity Heat Network Management System version 3.0 contains the affected file path /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. No additional sub-component or patch level details are documented, and the vendor has not released an official fix according to the available information.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary SQL by manipulating the PGUID parameter in the AsyncTreeProxy.aspx component. This flaw combines issues with missing input validation (CWE-74) and lack of proper parameterization (CWE-89). An attacker who successfully exploits the flaw can retrieve, modify, or delete data stored in the underlying database, potentially leading to privacy breaches or corruption of critical operational data.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker could likely launch the attack remotely via the web interface, provided the target system is exposed to the public or an untrusted internal network."}}}}, "created": "2026-02-18T10:33:22.434088+00:00", "updated": "2026-04-17T19:00:11.038821+00:00", "vendors": ["sciyon", "sciyon$PRODUCT$koyuan_thermoelectricity_heat_network_management_system"]}