Skip to main content

EasyReport EUVDEUVD-2026-31783

| CVE-2026-9524 MEDIUM
SQL Injection (CWE-89)
2026-05-26 VulDB GHSA-x3r2-vhf8-v655
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:39 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in xianrendzw EasyReport up to version 2.0.17.0522_Beta exposes authenticated remote attackers a path to query manipulation via the reportParams argument in the REST Endpoint's execute function. The CVSS 4.0 score of 5.3 reflects a low-privilege authenticated requirement with partial impact across confidentiality, integrity, and availability - meaning data exfiltration, record tampering, and limited availability disruption are all within scope. No public exploit has been confirmed and no vendor patch exists, as the vendor did not respond to coordinated disclosure; EPSS at 0.03% (8th percentile) corroborates low current exploitation interest.

Technical ContextAI

EasyReport is a reporting application developed by xianrendzw, identified by CPE cpe:2.3:a:xianrendzw:easyreport:*:*:*:*:*:*:*:*. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning the reportParams parameter received by the REST Endpoint's execute function is incorporated into a backend SQL query without adequate sanitization or parameterization. This is a classic server-side SQL injection pattern where attacker-controlled input directly influences query structure. Because the endpoint is exposed over the network and only requires low privileges, the attack surface is broader than purely local or unauthenticated-only flaws, though scope is limited to the affected application's database (CVSS scope: unchanged).

RemediationAI

No vendor-released patch has been identified at time of analysis - the vendor did not respond to coordinated disclosure, so no official fix version is available. Organizations should apply the following compensating controls: first, restrict access to the vulnerable REST Endpoint to authenticated internal users only via network-layer controls (firewall rules or API gateway policies), reducing exposure from the public internet; note this does not eliminate the vulnerability for internal users. Second, deploy a Web Application Firewall (WAF) with SQL injection detection rules targeting the reportParams parameter specifically; WAF rules introduce latency and may produce false positives with complex legitimate report query strings. Third, audit all database accounts used by EasyReport to enforce least-privilege access - if the application account has write or admin privileges, restricting it to read-only reduces the impact of a successful injection. Monitor VulDB (https://vuldb.com/vuln/365543) and the NVD entry for any future vendor patch release.

Share

EUVD-2026-31783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy