Skip to main content

Easyflow Net CVE-2026-5964

| EUVDEUVD-2026-23798 CRITICAL
SQL Injection (CWE-89)
2026-04-20 twcert GHSA-f5h4-jpqg-93m3
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 20, 2026 - 08:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 08:22 vuln.today
cvss_changed
CVSS changed
Apr 20, 2026 - 08:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 20, 2026 - 07:56 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 07:45 euvd
EUVD-2026-23798
Analysis Generated
Apr 20, 2026 - 07:45 vuln.today
CVE Published
Apr 20, 2026 - 07:36 nvd
CRITICAL 9.3

DescriptionCVE.org

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

AnalysisAI

SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.

Technical ContextAI

EasyFlow .NET is an enterprise workflow and business process management platform developed by Digiwin Software, a Taiwan-based ERP vendor. This vulnerability stems from CWE-89 (Improper Neutralization of Special Elements in SQL Command), the classic SQL injection flaw class where user-controlled input is concatenated directly into SQL queries without sanitization or parameterized statements. The affected component appears to be a web-accessible endpoint in the .NET-based application stack that constructs database queries dynamically. CPE identifier 'cpe:2.3:a:digiwin:easyflow_.net:*:*:*:*:*:*:*:*' indicates all versions may be vulnerable, though the wildcard version field (*) suggests version-specific data was not provided to NVD. The .NET framework itself is not vulnerable; the flaw resides in Digiwin's application code. SQL injection at this severity typically involves backend databases like Microsoft SQL Server or Oracle in enterprise environments, allowing OS command execution via database stored procedures (xp_cmdshell) in worst-case scenarios.

RemediationAI

Immediately review TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html and https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html for vendor patch information and apply any available updates from Digiwin Software. Contact Digiwin support directly for patch status if advisories lack version details. If no patch exists: (1) Remove EasyFlow .NET from internet exposure by placing behind VPN with multi-factor authentication-this converts AV:N to AV:A, drastically reducing attack surface but impacts legitimate remote users; (2) Deploy web application firewall (WAF) with SQL injection signature detection in blocking mode-configure strict rules for single quotes, SQL keywords, UNION statements, but expect potential false positives requiring tuning; (3) Implement database account least privilege by restricting EasyFlow service account to SELECT/INSERT/UPDATE on required tables only, revoking DROP/CREATE/EXECUTE permissions-this limits damage scope but does not prevent data theft; (4) Enable database query logging and monitor for SQL syntax anomalies-reactive control only. Each workaround has operational trade-offs and none eliminates the vulnerability; patching remains the only complete remediation.

Share

CVE-2026-5964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy