EUVD-2026-12531
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all instances of Tiandy Easy7 up to version 7.17.0 in your environment and isolate affected systems from production networks if possible. Within 7 days: Implement WAF rules to block SQL injection payloads targeting /rest/preSetTemplate/getRecByTemplateId, restrict API access to trusted internal networks only, and implement database activity monitoring. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today