Skip to main content

Easyflow Net CVE-2026-5963

| EUVDEUVD-2026-23797 CRITICAL
SQL Injection (CWE-89)
2026-04-20 twcert GHSA-q2rh-xrfv-8x3m
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 20, 2026 - 08:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 08:22 vuln.today
cvss_changed
CVSS changed
Apr 20, 2026 - 08:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 20, 2026 - 07:56 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 07:45 euvd
EUVD-2026-23797
Analysis Generated
Apr 20, 2026 - 07:45 vuln.today
CVE Published
Apr 20, 2026 - 07:32 nvd
CRITICAL 9.3

DescriptionCVE.org

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

AnalysisAI

Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.

Technical ContextAI

EasyFlow .NET is an enterprise workflow management system developed by Digiwin Software, widely deployed in manufacturing and ERP environments across Asia-Pacific markets. The vulnerability stems from CWE-89 (SQL Injection), where user-supplied input is incorporated into SQL queries without proper sanitization or parameterization. Based on the CPE string cpe:2.3:a:digiwin:easyflow_.net, this affects the .NET framework implementation of the product. SQL injection occurs when application code concatenates untrusted data directly into SQL statements rather than using parameterized queries or stored procedures with bound parameters. In .NET environments, this typically manifests through misuse of SqlCommand with string concatenation instead of SqlParameter objects, or through ORM query construction vulnerabilities. The network attack vector suggests the injection point is exposed through web service endpoints or web application interfaces accessible without authentication.

RemediationAI

Organizations running EasyFlow .NET must immediately contact Digiwin Software technical support to obtain the latest security patch and upgrade guidance, referencing Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html and https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html for tracking details. Specific patched version numbers have not been published in available intelligence sources at time of analysis. Until vendor patches can be applied, implement network-level compensating controls: restrict EasyFlow .NET web interfaces to authenticated internal networks only through firewall rules or VPN access requirements, eliminating direct Internet exposure (note this reduces attack surface but does not eliminate risk from authenticated insiders or compromised internal systems). Deploy web application firewall (WAF) rules with SQL injection signature detection in blocking mode on all routes to EasyFlow endpoints, understanding this provides defense-in-depth but may be bypassed by sophisticated attackers using encoding or alternative syntax. Review application logs immediately for suspicious SQL-related error messages, unusual database query patterns, or unauthorized data access attempts that may indicate prior exploitation. For database defense, ensure EasyFlow application database accounts operate with minimum necessary privileges (avoid sa/dbo roles), enable database audit logging for all schema changes and bulk data exports, and verify database backups are current and stored offline. Coordinate patching during planned maintenance windows given the system's likely integration with critical business workflows.

Share

CVE-2026-5963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy