Which versions of Integrated Management Platform are affected by CVE-2026-4232?

An unauthenticated SQL injection vulnerability in Tiandy Integrated Management Platform 7.17.0 allows attackers to directly access and manipulate database contents without credentials.

Is there a public PoC exploit available for CVE-2026-4232?

Yes, a public proof-of-concept exploit is available for CVE-2026-4232. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4232?

Within 24 hours: inventory all systems running Tiandy 7.17.0 and restrict network access to the /rest/user/getAuthorityByUserId endpoint to trusted networks only. Within 7 days: implement Web Application Firewall (WAF) rules to block SQL injection payloads targeting the userId parameter, and evaluate network segmentation to isolate affected systems. Within 30 days: contact Tiandy for patch availability and timelines; if unavailable, develop a migration plan to alternative platforms or implement comprehensive compensating controls including reverse proxy authentication, input validation, and enhanced monitoring.

Integrated Management Platform CVE-2026-4232

Q: What is the CVSS score of CVE-2026-4232?

CVE-2026-4232 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12381 MEDIUM

SQL Injection (CWE-89)

2026-03-16 VulDB

SQLi Integrated Management Platform

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Severity Changed

Apr 22, 2026 - 21:37 NVD

HIGH MEDIUM

CVSS changed

Apr 22, 2026 - 21:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 16, 2026 - 10:00 euvd

EUVD-2026-12381

Analysis Generated

Mar 16, 2026 - 10:00 vuln.today

CVE Published

Mar 16, 2026 - 09:32 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability was determined in Tiandy Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request to /rest/user/getAuthorityByUserId endpoint

Exploit

Inject malicious SQL in userId parameter

Execution

Execute arbitrary SQL queries

Impact

Extract sensitive database information