Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4289

CVE-2026-4289: Tiandy Easy7 SQL Injection Vulnerability

CVE-2026-4289 is a SQL injection flaw in Tiandy Easy7 Integrated Management Platform affecting versions up to 7.17.0. Attackers can exploit the ID parameter remotely to execute malicious SQL queries. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-4289 Overview

CVE-2026-4289 is a SQL injection vulnerability in the Tiandy Easy7 Integrated Management Platform through version 7.17.0. The flaw resides in the /rest/preSetTemplate/getRecByTemplateId endpoint, where the ID parameter is incorporated into a backend SQL query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements. Public disclosure of the exploit has occurred, and the vendor did not respond to coordinated disclosure attempts. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Unauthenticated remote attackers can inject SQL statements through the ID parameter, potentially exposing database contents managed by the Tiandy Easy7 platform.

Affected Products

  • Tiandy Easy7 Integrated Management Platform versions up to and including 7.17.0
  • Endpoint: /rest/preSetTemplate/getRecByTemplateId
  • Parameter: ID

Discovery Timeline

  • 2026-03-17 - CVE-2026-4289 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-4289

Vulnerability Analysis

The vulnerability affects the REST endpoint /rest/preSetTemplate/getRecByTemplateId in the Tiandy Easy7 Integrated Management Platform. The endpoint accepts an ID argument that the application passes into a SQL query without parameterization or input validation. Attackers can supply malicious input that alters the structure of the executed query.

The attack is reachable over the network and does not require authentication or user interaction. According to the EPSS data published on 2026-05-14, exploitation probability remains low at 0.04%, but the public disclosure of the exploit increases practical risk. The vendor was contacted before disclosure and did not respond.

Root Cause

The root cause is improper neutralization of special elements in input used to construct a SQL statement. The application concatenates the user-supplied ID value directly into a database query rather than using prepared statements or parameter binding. This design flaw maps to [CWE-74] and is a classic instance of SQL injection introduced by unsafe query construction.

Attack Vector

An attacker sends a crafted HTTP request to the /rest/preSetTemplate/getRecByTemplateId endpoint with a malicious ID parameter value. The injected payload modifies the SQL query executed by the backend database, enabling data extraction, authentication record enumeration, or manipulation of database content. The exploit details have been published, lowering the bar for opportunistic exploitation.

Technical details on the disclosure are referenced in the VulDB entry #351294 and the Feishu Document Reference.

Detection Methods for CVE-2026-4289

Indicators of Compromise

  • HTTP requests targeting /rest/preSetTemplate/getRecByTemplateId with non-numeric or SQL-meta-character payloads in the ID parameter.
  • Web server logs containing common SQL injection tokens such as UNION SELECT, ' OR '1'='1, SLEEP(, or encoded variants in the ID query argument.
  • Unexpected database error responses or extended response times originating from the Easy7 application.

Detection Strategies

  • Deploy web application firewall signatures that flag SQL meta-characters in the ID parameter for the affected endpoint.
  • Enable verbose application and database query logging on the Easy7 platform to capture anomalous SQL patterns.
  • Correlate authentication failures, abnormal database error rates, and large outbound responses from the management platform.

Monitoring Recommendations

  • Forward Easy7 application and reverse-proxy logs to a centralized SIEM and alert on requests to /rest/preSetTemplate/getRecByTemplateId containing SQL syntax.
  • Monitor database accounts used by the Easy7 application for unusual query volumes, schema enumeration queries against information_schema, or access to authentication tables.
  • Track outbound network connections from the database server that deviate from the documented baseline.

How to Mitigate CVE-2026-4289

Immediate Actions Required

  • Restrict network access to the Easy7 Integrated Management Platform so that the REST API is reachable only from trusted administrative networks.
  • Place a web application firewall in front of the Easy7 interface and enforce rules that block SQL injection patterns on the /rest/preSetTemplate/getRecByTemplateId endpoint.
  • Audit database accounts used by the Easy7 application and revoke privileges that are not required for normal operation.

Patch Information

No vendor patch is available at the time of publication. The vendor did not respond to the disclosure. Organizations should track the VulDB entry #351294 for updates and contact Tiandy directly for remediation guidance.

Workarounds

  • Filter inbound traffic to the affected endpoint at the reverse proxy or WAF layer, rejecting requests where ID contains non-numeric characters.
  • Disable or remove access to the /rest/preSetTemplate/getRecByTemplateId route if the preset template feature is not in use.
  • Apply least-privilege database accounts so that successful injection cannot escalate beyond read access to required tables.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne