Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in xianrendzw EasyReport up to version 2.0.17.0522_Beta exposes authenticated remote attackers a path to query manipulation via the reportParams argument in the REST Endpoint's execute function. The CVSS 4.0 score of 5.3 reflects a low-privilege authenticated requirement with partial impact across confidentiality, integrity, and availability - meaning data exfiltration, record tampering, and limited availability disruption are all within scope. No public exploit has been confirmed and no vendor patch exists, as the vendor did not respond to coordinated disclosure; EPSS at 0.03% (8th percentile) corroborates low current exploitation interest.
Technical ContextAI
EasyReport is a reporting application developed by xianrendzw, identified by CPE cpe:2.3:a:xianrendzw:easyreport:*:*:*:*:*:*:*:*. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning the reportParams parameter received by the REST Endpoint's execute function is incorporated into a backend SQL query without adequate sanitization or parameterization. This is a classic server-side SQL injection pattern where attacker-controlled input directly influences query structure. Because the endpoint is exposed over the network and only requires low privileges, the attack surface is broader than purely local or unauthenticated-only flaws, though scope is limited to the affected application's database (CVSS scope: unchanged).
RemediationAI
No vendor-released patch has been identified at time of analysis - the vendor did not respond to coordinated disclosure, so no official fix version is available. Organizations should apply the following compensating controls: first, restrict access to the vulnerable REST Endpoint to authenticated internal users only via network-layer controls (firewall rules or API gateway policies), reducing exposure from the public internet; note this does not eliminate the vulnerability for internal users. Second, deploy a Web Application Firewall (WAF) with SQL injection detection rules targeting the reportParams parameter specifically; WAF rules introduce latency and may produce false positives with complex legitimate report query strings. Third, audit all database accounts used by EasyReport to enforce least-privilege access - if the application account has write or admin privileges, restricting it to read-only reduces the impact of a successful injection. Monitor VulDB (https://vuldb.com/vuln/365543) and the NVD entry for any future vendor patch release.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31783
GHSA-x3r2-vhf8-v655