CVE-2026-9524 xianrendzw CVE debrief

Who should care

Organizations running xianrendzw EasyReport version 2.0.17.0522_Beta or earlier; security teams responsible for protecting reporting infrastructure; database administrators managing EasyReport backends; developers maintaining custom integrations with EasyReport REST APIs

Technical summary

The vulnerability exists in the execute function of a REST endpoint in xianrendzw EasyReport. The reportParams argument is not properly sanitized before being used in SQL queries, allowing attackers to manipulate the parameter to inject arbitrary SQL commands. This is a classic SQL injection vulnerability (CWE-89) with additional classification under CWE-74. The attack can be launched remotely with low privileges required.

Defensive priority

medium

Recommended defensive actions

• Review and restrict network access to EasyReport REST endpoints, particularly those handling the execute function
• Implement parameterized queries or prepared statements for all database interactions involving the reportParams parameter
• Apply input validation and sanitization for reportParams, rejecting or escaping SQL metacharacters
• Monitor database query logs for anomalous patterns indicative of SQL injection attempts
• Contact xianrendzw for patch availability given vendor non-responsiveness to initial disclosure
• Consider upgrading to a patched version when available, or implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the reportParams parameter

Evidence notes

The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in an SQL Command). The CVSS 4.0 vector indicates network accessibility with low attack complexity and low privilege requirements. The affected product version is explicitly bounded to 2.0.17.0522_Beta and earlier.

Official resources