PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9437 DTStack CVE debrief

A command injection vulnerability exists in DTStack Taier 1.4.0, specifically within the Runtime.exec function of the REST API component. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the sqlText parameter. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and low impact across confidentiality, integrity, and availability dimensions. The vulnerability was published on May 25, 2026, with subsequent modification on May 26, 2026. The vendor was reportedly contacted prior to disclosure but did not respond. Public exploit disclosure increases immediate risk despite the LOW severity rating. Organizations using DTStack Taier 1.4.0 should prioritize input validation and parameterized query implementations for REST API endpoints handling sqlText parameters.

Vendor
DTStack
Product
Taier
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations running DTStack Taier 1.4.0, security teams managing data integration platforms, developers implementing REST APIs with dynamic query execution, and incident response teams monitoring for command injection attacks.

Technical summary

The vulnerability resides in the Runtime.exec function of DTStack Taier 1.4.0's REST API component. Attackers can inject operating system commands through the sqlText parameter, enabling remote code execution. The attack requires network access but no authentication privileges. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P. Classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Defensive priority

medium

Recommended defensive actions

  • Implement strict input validation on sqlText parameters in REST API endpoints
  • Apply parameterized queries or prepared statements to prevent command injection
  • Review and restrict Runtime.exec usage in application code
  • Monitor for anomalous command execution patterns in application logs
  • Consider network segmentation to limit exposure of Taier REST API endpoints
  • Establish vendor communication channels for security coordination

Evidence notes

Vulnerability affects DTStack Taier 1.4.0 Runtime.exec function via sqlText parameter manipulation. CVSS 4.0 score of 2.1 (LOW). Vendor non-response documented. Public exploit availability confirmed. CWE-77 and CWE-78 classifications applied.

Official resources

public