Skip to main content

Hoteam PDM EUVDEUVD-2026-26881

| CVE-2026-7727 MEDIUM
SQL Injection (CWE-89)
2026-05-04 VulDB
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 04, 2026 - 05:22 NVD
HIGH MEDIUM
CVSS changed
May 04, 2026 - 05:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
May 04, 2026 - 05:00 vuln.today
EUVD ID Assigned
May 04, 2026 - 04:30 euvd
EUVD-2026-26881
Analysis Generated
May 04, 2026 - 04:30 vuln.today
Patch released
May 04, 2026 - 04:30 nvd
Patch available
CVE Published
May 04, 2026 - 03:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component.

AnalysisAI

SQL injection in Shandong Hoteam PDM Product Data Management System versions ≤8.3.9 allows remote unauthenticated attackers to execute arbitrary SQL commands via the SortOrder parameter in the GetQueryMachineGridOnePageData function of /Base/BaseService.asmx/DataService endpoint. The vulnerability enables unauthorized data access, modification, and potential service disruption (CVSS 7.3: C:L/I:L/A:L). Vendor-released patch available in version 8.3.10. EPSS data not available; no CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in a .NET ASMX web service endpoint. The affected component is BaseService.asmx/DataService, which appears to be a backend data service for the PDM (Product Data Management) system. The GetQueryMachineGridOnePageData function accepts user-controlled input via the SortOrder parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization. PDM systems typically manage engineering documents, CAD files, and product lifecycle data, making them high-value targets in manufacturing and engineering environments. The .asmx extension indicates legacy ASP.NET Web Services (pre-WCF), which historically lack built-in protections against injection attacks unless developers explicitly implement parameterized queries or stored procedures.

RemediationAI

Upgrade to Shandong Hoteam PDM Product Data Management System version 8.3.10, which vendor confirms addresses this SQL injection vulnerability (patch reference: https://en.hoteamsoft.com/pdm). Organizations unable to immediately upgrade should implement network-level access controls: restrict /Base/BaseService.asmx/DataService endpoint access to authenticated internal IP ranges only via firewall rules or web application firewall policies, blocking external and unauthenticated access entirely (trade-off: breaks any legitimate external integrations relying on this endpoint). Additional compensating control: deploy database activity monitoring to detect SQL injection attempts via anomalous query patterns in PDM database logs, focusing on queries originating from the BaseService component (trade-off: detective rather than preventive, requires 24/7 SOC monitoring). Web application firewall rules can filter malicious SortOrder payloads containing SQL metacharacters, but attackers may bypass signature-based detection (trade-off: maintenance overhead, false positives on legitimate special characters). Validate patch effectiveness post-upgrade by testing the SortOrder parameter with SQL injection payloads in non-production environment.

Share

EUVD-2026-26881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy