Description
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Published: 2026-04-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access and modification
Action: Immediate Patch
AI Analysis

Impact

Digiwin EasyFlow .NET contains a SQL Injection flaw (CWE‑89) that permits unauthenticated remote attackers to embed arbitrary SQL statements, enabling them to read, alter, or delete data stored in the application database. The attacker can thus exfiltrate sensitive information or corrupt business records, potentially disrupting operations.

Affected Systems

The affected product is Digiwin EasyFlow .NET, with versions older than 8.1.3 subject to the vulnerability. Applying the official patch from 2025/07/15 or upgrading to any release 8.1.3 or later resolves the flaw.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and while the EPSS score is not available, the lack of KEV listing suggests no widespread exploitation yet. Nevertheless, the unauthenticated remote nature of the attack vector poses a high risk of data theft or loss, and organizations should treat this as a top‑priority issue.

Generated by OpenCVE AI on April 20, 2026 at 08:20 UTC.

Remediation

Vendor Solution

Update to version 8.1.3 or later, or install patch 2025/07/15.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to EasyFlow .NET version 8.1.3 or later.
  • Apply the 2025/07/15 patch if the standalone patch is required.
  • Restrict the database user permissions to the minimum necessary for normal application operations.

Generated by OpenCVE AI on April 20, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Digiwin
Digiwin easyflow .net
Vendors & Products Digiwin
Digiwin easyflow .net

Mon, 20 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Title Digiwin|EasyFlow .NET - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Digiwin Easyflow .net
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-20T13:38:08.600Z

Reserved: 2026-04-09T10:34:41.136Z

Link: CVE-2026-5964

cve-icon Vulnrichment

Updated: 2026-04-20T13:38:04.893Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T08:16:10.850

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-5964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T08:30:02Z

Weaknesses