PatchSiren cyber security CVE debrief
CVE-2026-9465 Tiandy CVE debrief
A SQL injection vulnerability exists in Tiandy Easy7 Integrated Management Platform version 7.17.0. The vulnerability resides in the `/Easy7/apps/WebService/GetDBDataEx.jsp` endpoint, where the `strTBName` parameter is susceptible to manipulation, allowing an attacker to inject arbitrary SQL commands. The attack can be exploited remotely without authentication. The vulnerability has been publicly disclosed, and exploit details are available. The vendor was contacted prior to disclosure but did not respond. The CVSS 4.0 score of 5.5 reflects medium severity with network attack vector, low attack complexity, and low impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
- Vendor
- Tiandy
- Product
- Easy7 Integrated Management Platform
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running Tiandy Easy7 Integrated Management Platform 7.17.0, security operations centers monitoring for web application attacks, and database administrators responsible for access control policies.
Technical summary
The Tiandy Easy7 Integrated Management Platform 7.17.0 contains a SQL injection vulnerability in the GetDBDataEx.jsp web service endpoint. The strTBName parameter accepts unsanitized user input that is directly concatenated into SQL queries. An unauthenticated remote attacker can exploit this to read, modify, or delete database contents. The vulnerability is actively exploited in the wild with public proof-of-concept availability.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries to the strTBName parameter in GetDBDataEx.jsp
- Restrict network access to the /Easy7/apps/WebService/GetDBDataEx.jsp endpoint to trusted sources
- Monitor for suspicious SQL patterns in application logs
- Contact Tiandy for official patch availability and timeline
- Review database user permissions to enforce principle of least privilege
Evidence notes
Vulnerability confirmed through VulDB submission and analysis. Public exploit availability confirmed. Vendor contact attempted without response.
Official resources
Public disclosure occurred on 2026-05-25 with vendor non-response to prior contact attempts.