Description
A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Assess Impact
AI Analysis

Impact

A remotely exploitable SQL injection vulnerability has been discovered in Tiandy Easy7 Integrated Management Platform. The flaw exists within the unknown function of the file /rest/preSetTemplate/getRecByTemplateId, where manipulating the ID parameter allows an attacker to inject arbitrary SQL. This can lead to unauthorized reading or alteration of the underlying database, potentially exposing sensitive configuration or operational data. The official description notes that the exploit has been publicly disclosed and may be used by threat actors.

Affected Systems

The vulnerability affects Tiandy Easy7 Integrated Management Platform versions up to and including 7.17.0. The affected component is the REST endpoint /rest/preSetTemplate/getRecByTemplateId. No additional version information beyond the upper bound 7.17.0 is available from the CVE data.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, where an attacker sends crafted HTTP requests to the vulnerable endpoint from outside the network. Because the exploit was publicly disclosed and may be used, the risk of exploitation remains significant without remediation.

Generated by OpenCVE AI on March 17, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Tiandy website or contact vendor for an official patch for Easy7 Integrated Management Platform.
  • Apply the vendor patch to all affected instances immediately if available.
  • Restrict or firewall the /rest/preSetTemplate/getRecByTemplateId endpoint to trusted IPs until a patch is applied.
  • Monitor application logs for unusual SQL activity or error patterns that may indicate exploitation attempts.
  • If no patch is available, consider disabling the endpoint or upgrading to a newer secure version.

Generated by OpenCVE AI on March 17, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tiandy
Tiandy easy7 Integrated Management Platform
Vendors & Products Tiandy
Tiandy easy7 Integrated Management Platform

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tiandy Easy7 Integrated Management Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-17T13:32:52.355Z

Reserved: 2026-03-16T16:31:56.591Z

Link: CVE-2026-4289

cve-icon Vulnrichment

Updated: 2026-03-17T13:32:48.889Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T00:16:19.910

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-4289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:39Z

Weaknesses