Description
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Published: 2026-04-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data tampering and disclosure via unauthenticated SQL injection
Action: Apply Patch
AI Analysis

Impact

EasyFlow .NET, a product of Digiwin, has a SQL Injection flaw that lets unauthenticated remote attackers execute arbitrary SQL commands. The vulnerability can be used to read, modify, or delete database contents, directly compromising the confidentiality, integrity, and potentially the availability of stored data.

Affected Systems

Digiwin EasyFlow .NET versions prior to 8.1.5 are affected, including any build that has not applied the 2026/01/20 patch. Vendors and administrators should treat all non‑up‑to‑date installations as vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity. EPSS is not available, but the lack of a KEV listing does not negate the risk; the attack can be performed without authentication over the network when the application is exposed. Exploitation requires only the ability to send HTTP requests to the vulnerable endpoint and does not rely on specialized configuration or privileged access.

Generated by OpenCVE AI on April 20, 2026 at 08:50 UTC.

Remediation

Vendor Solution

Update to version 8.1.5 or later, or install patch 2026/01/20.

OpenCVE Recommended Actions

  • Upgrade EasyFlow .NET to version 8.1.5 or later.
  • If upgrading is not immediately possible, install the vendor‑provided patch dated 2026/01/20.
  • Consider restricting network access to the application or operating it behind a firewall or Web Application Firewall to limit exposure to unauthenticated remote attackers.

Generated by OpenCVE AI on April 20, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Digiwin
Digiwin easyflow .net
Vendors & Products Digiwin
Digiwin easyflow .net

Mon, 20 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Title Digiwin|EasyFlow .NET - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Digiwin Easyflow .net
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-20T13:42:03.062Z

Reserved: 2026-04-09T10:34:39.912Z

Link: CVE-2026-5963

cve-icon Vulnrichment

Updated: 2026-04-20T13:41:59.244Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T08:16:10.653

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-5963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T09:00:03Z

Weaknesses