Description
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in Tiandy Easy7 Integrated Management Platform version 7.17.0. The GetDBDataEx.jsp component fails to sanitize the strTBName argument before including it in a database query. This oversight allows an attacker to inject arbitrary SQL, which can lead to unauthorized reading, alteration or deletion of data stored by the platform. The vulnerability is exploitable from a remote location through crafted HTTP requests and is already publicly documented.

Affected Systems

The attack targets Tiandy Easy7 Integrated Management Platform, specifically the 7.17.0 release. The vulnerability description does not list other affected versions, but the code involved is 'unknown', implying that any release containing GetDBDataEx.jsp could potentially be at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. Although no EPSS value is supplied, the exploit is publicly available and the vendor has not yet responded with a fix, raising the practical risk. The vulnerability is not listed in CISA's KEV catalog, but the public availability of the exploit means a timely response is critical.

Generated by OpenCVE AI on May 25, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's official patch or upgrade to the latest version of Easy7 Integrated Management Platform once available.
  • Restrict network access to the GetDBDataEx.jsp endpoint so that only trusted internal IP addresses can reach it.
  • Configure a Web Application Firewall or intrusion detection system to filter or block SQL injection patterns targeting the strTBName parameter.
  • Implement input validation on the strTBName parameter to ensure it matches only expected table names.

Generated by OpenCVE AI on May 25, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tiandy Easy7 Integrated Management Platform GetDBDataEx.jsp sql injection
First Time appeared Tiandy
Tiandy easy7 Integrated Management Platform
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*
Vendors & Products Tiandy
Tiandy easy7 Integrated Management Platform
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tiandy Easy7 Integrated Management Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T14:15:38.136Z

Reserved: 2026-05-24T08:55:37.419Z

Link: CVE-2026-9465

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:45:16Z

Weaknesses