CVE-2026-4289

Summary

A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
TiandyEasy7 Integrated Management Platform7.0affected
TiandyEasy7 Integrated Management Platform7.1affected
TiandyEasy7 Integrated Management Platform7.2affected
TiandyEasy7 Integrated Management Platform7.3affected
TiandyEasy7 Integrated Management Platform7.4affected
TiandyEasy7 Integrated Management Platform7.5affected
TiandyEasy7 Integrated Management Platform7.6affected
TiandyEasy7 Integrated Management Platform7.7affected
TiandyEasy7 Integrated Management Platform7.8affected
TiandyEasy7 Integrated Management Platform7.9affected
TiandyEasy7 Integrated Management Platform7.10affected
TiandyEasy7 Integrated Management Platform7.11affected
TiandyEasy7 Integrated Management Platform7.12affected
TiandyEasy7 Integrated Management Platform7.13affected
TiandyEasy7 Integrated Management Platform7.14affected
TiandyEasy7 Integrated Management Platform7.15affected
TiandyEasy7 Integrated Management Platform7.16affected
TiandyEasy7 Integrated Management Platform7.17.0affected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References