CVE-2026-9523 - Vulnerability Details

- Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform getCalcmeterDetailDayListTree sql injection

Description

A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument sort results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an SQL injection flaw in the getCalcmeterDetailDayListTree endpoint of Acrel Electrical's EEMS Enterprise Power Operation and Maintenance Cloud Platform. By manipulating the 'sort' argument, an attacker can execute arbitrary SQL statements from a remote location, potentially leading to data exfiltration, modification, or other database compromise. The flaw results from improper input validation and is linked to CWE‑74 and CWE‑89.

Affected Systems

Affected systems include Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 3000WEBV2. The flaw resides in the /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree component. No additional affected versions are documented.

Risk and Exploitability

The CVSS score of 6.9 indicates medium to high risk, and since the exploit is publicly available, attackers can automate the attack over the network. The EPSS score is not available, and the vulnerability is not listed in KEV, but the remote nature of the attack and lack of a vendor fix elevate concern. Without a patch, mitigation should focus on restraining the vulnerable endpoint, enforcing input validation, and constant monitoring.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Acrel Electrical

EEMS Enterprise Power Operation and Maintenance Cloud Platform

affected

Version	Status	Constraints
`3000WEBV2`	affected	—

No data.

Vendor Product Confidence Versions

Acrel Electrical

Eems Enterprise Power Operation And Maintenance Cloud Platform

95%

Version	Status	Scheme	Platform
`3000WEBV2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Temporarily block access to the /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree endpoint using firewall rules.
Apply strict input validation to the 'sort' parameter to restrict it to allowed values, mitigating SQL injection (CWE‑74, 89).
Deploy a web application firewall to detect and block SQL injection patterns targeting the vulnerable endpoint.
Monitor application logs for suspicious query activity and investigate any unauthorized data access.
Contact Acrel Electrical to obtain a formal fix or security update and apply it immediately.

Generated by OpenCVE AI on May 26, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://ucn9h68n9289.feishu.cn/wiki/NpZHw0lypi6ztJkWLNxcGKR5nlb?from=from_copylink
https://vuldb.com/submit/814539
https://vuldb.com/vuln/365542
https://vuldb.com/vuln/365542/cti

History

Tue, 26 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument sort results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform getCalcmeterDetailDayListTree sql injection
First Time appeared		Acrel Electrical Acrel Electrical eems Enterprise Power Operation And Maintenance Cloud Platform
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:acrel_electrical:eems_enterprise_power_operation_and_maintenance_cloud_platform::::::::
Vendors & Products		Acrel Electrical Acrel Electrical eems Enterprise Power Operation And Maintenance Cloud Platform
References		https://ucn9h68n9289.feishu.cn/wiki/NpZHw0lypi6ztJkWLNxcGKR5nlb?from=from_copylink https://vuldb.com/submit/814539 https://vuldb.com/vuln/365542 https://vuldb.com/vuln/365542/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Acrel Electrical Eems Enterprise Power Operation And Maintenance Cloud Platform

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T02:30:39.399Z

Updated: 2026-05-26T12:47:34.711Z

Reserved: 2026-05-25T19:24:03.684Z

Link: CVE-2026-9523

Vulnrichment

Updated: 2026-05-26T12:47:29.746Z

NVD

Status : Received

Published: 2026-05-26T04:16:27.370

Modified: 2026-05-26T04:16:27.370

Link: CVE-2026-9523

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T04:30:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object