Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
AnalysisAI
SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.
Technical ContextAI
EasyFlow .NET is an enterprise workflow and business process management platform developed by Digiwin Software, a Taiwan-based ERP vendor. This vulnerability stems from CWE-89 (Improper Neutralization of Special Elements in SQL Command), the classic SQL injection flaw class where user-controlled input is concatenated directly into SQL queries without sanitization or parameterized statements. The affected component appears to be a web-accessible endpoint in the .NET-based application stack that constructs database queries dynamically. CPE identifier 'cpe:2.3:a:digiwin:easyflow_.net:*:*:*:*:*:*:*:*' indicates all versions may be vulnerable, though the wildcard version field (*) suggests version-specific data was not provided to NVD. The .NET framework itself is not vulnerable; the flaw resides in Digiwin's application code. SQL injection at this severity typically involves backend databases like Microsoft SQL Server or Oracle in enterprise environments, allowing OS command execution via database stored procedures (xp_cmdshell) in worst-case scenarios.
RemediationAI
Immediately review TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html and https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html for vendor patch information and apply any available updates from Digiwin Software. Contact Digiwin support directly for patch status if advisories lack version details. If no patch exists: (1) Remove EasyFlow .NET from internet exposure by placing behind VPN with multi-factor authentication-this converts AV:N to AV:A, drastically reducing attack surface but impacts legitimate remote users; (2) Deploy web application firewall (WAF) with SQL injection signature detection in blocking mode-configure strict rules for single quotes, SQL keywords, UNION statements, but expect potential false positives requiring tuning; (3) Implement database account least privilege by restricting EasyFlow service account to SELECT/INSERT/UPDATE on required tables only, revoking DROP/CREATE/EXECUTE permissions-this limits damage scope but does not prevent data theft; (4) Enable database query logging and monitor for SQL syntax anomalies-reactive control only. Each workaround has operational trade-offs and none eliminates the vulnerability; patching remains the only complete remediation.
More in Easyflow Net
View allCritical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL command
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifi
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately fi
Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers t
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23798
GHSA-f5h4-jpqg-93m3