CVE-2026-3818
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2Description
A flaw has been found in Tiandy Easy7 CMS Windows 7.17.0. Impacted is an unknown function of the file /Easy7/apps/WebService/GetDBData.jsp. This manipulation of the argument strTBName causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
SQL injection in Tiandy Easy7 CMS 7.17.0 allows unauthenticated remote attackers to manipulate the strTBName parameter in GetDBData.jsp, potentially accessing or modifying sensitive database information. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Tiandy Easy7 CMS deployments and restrict network access to the /Easy7/apps/WebService/GetDBData.jsp endpoint using firewall rules or WAF policies. Within 7 days: Implement comprehensive network segmentation isolating CMS systems from critical assets and deploy enhanced monitoring/logging on affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today