Skip to main content

Easy7 Integrated Management Platform CVE-2026-4221

| EUVDEUVD-2026-12357 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-16 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Severity Changed
Apr 22, 2026 - 21:37 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 21:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 16, 2026 - 07:00 euvd
EUVD-2026-12357
Analysis Generated
Mar 16, 2026 - 07:00 vuln.today
CVE Published
Mar 16, 2026 - 06:32 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.

Technical ContextAI

The vulnerability affects the Tiandy Easy7 Integrated Management Platform (CPE: cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*), which appears to be a security/surveillance management system. The flaw is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type), occurring in the LED image upload functionality at the /rest/file/uploadLedImage endpoint. This type of vulnerability typically occurs when applications fail to properly validate file types, extensions, or content before accepting uploads, allowing attackers to upload executable files or scripts that can be later executed on the server.

RemediationAI

No official patch is available as the vendor has not responded to vulnerability disclosure. Immediate mitigation steps include: 1) Restrict network access to the /rest/file/uploadLedImage endpoint through firewall rules or web application firewall, 2) Implement authentication requirements for file upload functionality if possible through reverse proxy, 3) Monitor for suspicious file uploads and unusual activity on affected systems, 4) Consider disabling the LED image upload feature if not business-critical, 5) Isolate affected systems from critical infrastructure until a patch becomes available. Organizations should monitor vendor channels for future security updates.

Share

CVE-2026-4221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy