CVE-2026-9524
Description
A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EasyReport <=2.0.17.0522_Beta has a stored SQL injection in the REST endpoint via the `reportParams` argument, allowing remote attackers to execute arbitrary SQL.
Vulnerability
A stored SQL injection vulnerability exists in xianrendzw EasyReport up to version 2.0.17.0522_Beta. The affected code path is the execute function of the REST Endpoint component, where the reportParams argument is manipulated. Report parameters are stored via MyBatis and later concatenated into SQL strings using MyBatis ${} syntax or Java string concatenation without parameterization [1]. This allows attackers to inject arbitrary SQL statements through the stored parameters during report generation. Authentication is required to access the report management functionality [1].
Exploitation
An attacker with authenticated access to the EasyReport application can send a crafted request to the REST endpoint that handles report configuration. The reportParams argument is accepted and stored in the database via MyBatis. When the stored report is later generated, the injected malicious parameter values are retrieved and concatenated directly into SQL queries, bypassing parameterized query protections such as MyBatis #{} syntax [1]. The attack can be launched remotely, requiring only network access to the affected REST endpoint and valid credentials for report management [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands on the database backend. This can lead to unauthorized disclosure of sensitive data, modification or deletion of database records, and potentially privilege escalation within the database context [1]. The CVSS v3 score of 6.3 (Medium) reflects the authenticated requirement but indicates significant impact on confidentiality and integrity [1].
Mitigation
As of the publication date, the vendor has not responded to disclosure contacts [1]. No official patch or fixed version is available. Users should upgrade to a future release once the vendor addresses the issue. Recommended workarounds include replacing MyBatis ${} syntax with #{} parameterized queries, implementing strict input validation for report parameter values, and sanitizing special characters in SQL strings [1]. At the time of writing, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.0.17.0522_Beta+ 1 more
- (no CPE)range: <=2.0.17.0522_Beta
- (no CPE)range: <=2.0.17.0522_Beta
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.