Which versions of Hoteam PDM are affected by CVE-2026-7727?

Shandong Hoteam PDM versions 8.3.9 and earlier contain a remote SQL injection vulnerability in the product data management system that allows unauthenticated attackers to access, modify, or disrupt…. A patch is available.

How to fix or mitigate CVE-2026-7727?

Within 24 hours: Inventory all Shandong Hoteam PDM deployments and document current versions. Within 7 days: Apply vendor patch to upgrade all instances from version ≤8.3.9 to version 8.3.10 or later; coordinate with PDM system owners to schedule maintenance windows. Within 30 days: Conduct database access logs review for the /Base/BaseService.asmx/DataService endpoint to identify potential exploitation attempts; implement network segmentation to restrict unauthenticated access to PDM services.

Hoteam PDM CVE-2026-7727

Q: What is the CVSS score of CVE-2026-7727?

CVE-2026-7727 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26881 MEDIUM

SQL Injection (CWE-89)

2026-05-04 VulDB

SQLi

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 04, 2026 - 05:22 NVD

HIGH MEDIUM

CVSS changed

May 04, 2026 - 05:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

May 04, 2026 - 05:00 vuln.today

EUVD ID Assigned

May 04, 2026 - 04:30 euvd

EUVD-2026-26881

Analysis Generated

May 04, 2026 - 04:30 vuln.today

Patch released

May 04, 2026 - 04:30 nvd

Patch available

CVE Published

May 04, 2026 - 03:15 nvd

MEDIUM 6.9

DescriptionNVD

A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component.

AnalysisAI

SQL injection in Shandong Hoteam PDM Product Data Management System versions ≤8.3.9 allows remote unauthenticated attackers to execute arbitrary SQL commands via the SortOrder parameter in the GetQueryMachineGridOnePageData function of /Base/BaseService.asmx/DataService endpoint. The vulnerability enables unauthorized data access, modification, and potential service disruption (CVSS 7.3: C:L/I:L/A:L). …

RemediationAI

Within 24 hours: Inventory all Shandong Hoteam PDM deployments and document current versions. Within 7 days: Apply vendor patch to upgrade all instances from version ≤8.3.9 to version 8.3.10 or later; coordinate with PDM system owners to schedule maintenance windows. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7727 vulnerability details – vuln.today

Back

Hoteam PDM CVE-2026-7727

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Hoteam PDM CVE-2026-7727

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code