Description
A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary SQL through the fCircuitids argument in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. This flaw falls under CWE-89 (SQL Injection) and can be triggered remotely, giving the attacker the ability to read, modify, or delete data in the underlying database. The impact includes potential data exfiltration, integrity compromise, and service disruption for users of the platform.

Affected Systems

Acrel Electrical’s EEMS Enterprise Power Operation and Maintenance Cloud Platform, specifically version 1.3.0, is affected. No other affected versions are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The exploit has been publicly disclosed and can be launched remotely, although the EPSS score is not available and the vulnerability is not on the CISA KEV list. Attackers could exploit it by sending crafted requests to the vulnerable endpoint, provided they can reach the target network. Due to the lack of mitigation from the vendor, the risk remains effective until a patch or workaround is applied.

Generated by OpenCVE AI on May 3, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the EEMS Enterprise Power Operation and Maintenance Cloud Platform that contains the vendor’s fix for the SQL injection vulnerability.
  • Implement strict input validation and use parameterized SQL queries for the fCircuitids parameter to prevent code injection.
  • Restrict network access to the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, allowing only trusted hosts or VPN connections.
  • Enable detailed logging of requests to the endpoint and monitor for anomalous fCircuitids values, alerting on potential injection attempts.

Generated by OpenCVE AI on May 3, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T12:15:36.951Z

Reserved: 2026-05-02T19:38:02.958Z

Link: CVE-2026-7695

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T13:16:08.797

Modified: 2026-05-03T13:16:08.797

Link: CVE-2026-7695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T13:30:15Z

Weaknesses