{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4289", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-16T16:31:56.591Z", "datePublished": "2026-03-17T00:03:10.717Z", "dateUpdated": "2026-03-17T13:32:52.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-17T00:03:10.717Z"}, "title": "Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Tiandy", "product": "Easy7 Integrated Management Platform", "versions": [{"version": "7.0", "status": "affected"}, {"version": "7.1", "status": "affected"}, {"version": "7.2", "status": "affected"}, {"version": "7.3", "status": "affected"}, {"version": "7.4", "status": "affected"}, {"version": "7.5", "status": "affected"}, {"version": "7.6", "status": "affected"}, {"version": "7.7", "status": "affected"}, {"version": "7.8", "status": "affected"}, {"version": "7.9", "status": "affected"}, {"version": "7.10", "status": "affected"}, {"version": "7.11", "status": "affected"}, {"version": "7.12", "status": "affected"}, {"version": "7.13", "status": "affected"}, {"version": "7.14", "status": "affected"}, {"version": "7.15", "status": "affected"}, {"version": "7.16", "status": "affected"}, {"version": "7.17.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-16T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-16T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-16T17:39:08.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0menc (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.351294", "name": "VDB-351294 | Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351294", "name": "VDB-351294 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771997", "name": "Submit #771997 | Tiandy Technologies Co., Ltd. Tiandy Easy7 Integrated Management Platform 7.17.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://my.feishu.cn/docx/UmmudBVvYoMwpIxUtTicjsS8nDe?from=from_copylink", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:32:44.899429Z", "id": "CVE-2026-4289", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:32:52.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4289", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:32:44.899429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:32:48.889Z"}}], "cna": {"title": "Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "0menc (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Tiandy", "product": "Easy7 Integrated Management Platform", "versions": [{"status": "affected", "version": "7.0"}, {"status": "affected", "version": "7.1"}, {"status": "affected", "version": "7.2"}, {"status": "affected", "version": "7.3"}, {"status": "affected", "version": "7.4"}, {"status": "affected", "version": "7.5"}, {"status": "affected", "version": "7.6"}, {"status": "affected", "version": "7.7"}, {"status": "affected", "version": "7.8"}, {"status": "affected", "version": "7.9"}, {"status": "affected", "version": "7.10"}, {"status": "affected", "version": "7.11"}, {"status": "affected", "version": "7.12"}, {"status": "affected", "version": "7.13"}, {"status": "affected", "version": "7.14"}, {"status": "affected", "version": "7.15"}, {"status": "affected", "version": "7.16"}, {"status": "affected", "version": "7.17.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-16T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-16T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-16T17:39:08.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351294", "name": "VDB-351294 | Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351294", "name": "VDB-351294 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771997", "name": "Submit #771997 | Tiandy Technologies Co., Ltd. Tiandy Easy7 Integrated Management Platform 7.17.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://my.feishu.cn/docx/UmmudBVvYoMwpIxUtTicjsS8nDe?from=from_copylink", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-17T00:03:10.717Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4289", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:32:52.355Z", "dateReserved": "2026-03-16T16:31:56.591Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-17T00:03:10.717Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en la Plataforma de Gesti\u00f3n Integrada Tiandy Easy7 hasta la versi\u00f3n 7.17.0. Esto afecta una funci\u00f3n desconocida del archivo /rest/preSetTemplate/getRecByTemplateId. La manipulaci\u00f3n del argumento ID conduce a inyecci\u00f3n SQL. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. El proveedor fue contactado con antelaci\u00f3n sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4289", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-17T00:16:19.910", "references": [{"source": "cna@vuldb.com", "url": "https://my.feishu.cn/docx/UmmudBVvYoMwpIxUtTicjsS8nDe?from=from_copylink"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351294"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351294"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.771997"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.17.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Easy7 Integrated Management Platform", "source": "cna", "vendor": "Tiandy"}, "product": "easy7_integrated_management_platform", "vendor": "tiandy"}], "analysis": {"en": {"generated_at": "2026-03-17T01:20:35.088756+00:00", "value": {"mitigation_remediation": ["Check Tiandy website or contact vendor for an official patch for Easy7 Integrated Management Platform.", "Apply the vendor patch to all affected instances immediately if available.", "Restrict or firewall the /rest/preSetTemplate/getRecByTemplateId endpoint to trusted IPs until a patch is applied.", "Monitor application logs for unusual SQL activity or error patterns that may indicate exploitation attempts.", "If no patch is available, consider disabling the endpoint or upgrading to a newer secure version."], "summary": {"action": "Assess Impact", "impact": "Data Compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Tiandy Easy7 Integrated Management Platform versions up to and including 7.17.0. The affected component is the REST endpoint /rest/preSetTemplate/getRecByTemplateId. No additional version information beyond the upper bound 7.17.0 is available from the CVE data.", "description_and_impact": "A remotely exploitable SQL injection vulnerability has been discovered in Tiandy Easy7 Integrated Management Platform. The flaw exists within the unknown function of the file /rest/preSetTemplate/getRecByTemplateId, where manipulating the ID parameter allows an attacker to inject arbitrary SQL. This can lead to unauthorized reading or alteration of the underlying database, potentially exposing sensitive configuration or operational data. The official description notes that the exploit has been publicly disclosed and may be used by threat actors.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, where an attacker sends crafted HTTP requests to the vulnerable endpoint from outside the network. Because the exploit was publicly disclosed and may be used, the risk of exploitation remains significant without remediation."}}}}, "created": "2026-03-17T09:52:00.625859+00:00", "updated": "2026-03-24T10:49:39.255268+00:00", "vendors": ["tiandy", "tiandy$PRODUCT$easy7_integrated_management_platform"]}