Digiwin
Products
5- 12 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5964 | Cri | 0.64 | 9.8 | 0.00 | Apr 20, 2026 | EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | ||
| CVE-2026-5963 | Cri | 0.64 | 9.8 | 0.00 | Apr 20, 2026 | EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | ||
| CVE-2025-7343 | Cri | 0.64 | 9.8 | 0.01 | Jul 21, 2025 | The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | ||
| CVE-2024-5311 | Cri | 0.64 | 9.8 | 0.01 | Jun 3, 2024 | DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records. | ||
| CVE-2024-4893 | Cri | 0.64 | 9.8 | 0.01 | May 15, 2024 | DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands. | ||
| CVE-2022-32456 | Cri | 0.64 | 9.8 | 0.01 | Jul 20, 2022 | Digiwin BPM’s function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify, delete database or disrupt service. | ||
| CVE-2025-7344 | Hig | 0.57 | 8.8 | 0.01 | Jul 21, 2025 | The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API. | ||
| CVE-2025-13165 | Hig | 0.49 | 7.5 | 0.00 | Nov 17, 2025 | EasyFlow GP developed by Digiwin has a Denial of service vulnerability, allowing unauthenticated remote attackers to send specific requests that result in denial of web service. | ||
| CVE-2025-11949 | Hig | 0.49 | 7.5 | 0.00 | Oct 21, 2025 | EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality. | ||
| CVE-2022-32458 | Hig | 0.49 | 7.5 | 0.01 | Jul 20, 2022 | Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | ||
| CVE-2025-2705 | Hig | 0.47 | 7.3 | 0.00 | Mar 24, 2025 | A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The… | ||
| CVE-2025-12503 | Med | 0.42 | 6.5 | 0.00 | Nov 3, 2025 | EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||
| CVE-2024-7323 | Med | 0.42 | 6.5 | 0.01 | Aug 2, 2024 | Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server . | ||
| CVE-2025-2706 | Med | 0.41 | 6.3 | 0.00 | Mar 24, 2025 | A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely.… | ||
| CVE-2022-32457 | Med | 0.35 | 5.3 | 0.01 | Jul 20, 2022 | Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response. | ||
| CVE-2025-13164 | Med | 0.32 | 4.9 | 0.00 | Nov 17, 2025 | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend. | ||
| CVE-2025-13163 | Med | 0.32 | 4.9 | 0.00 | Nov 17, 2025 | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | ||
| CVE-2026-12581 | 0.00 | — | 0.00 | Jun 22, 2026 | EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in. | |||
| CVE-2026-12580 | 0.00 | — | 0.00 | Jun 22, 2026 | EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load. |
- risk 0.64cvss 9.8epss 0.00
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- risk 0.64cvss 9.8epss 0.00
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- risk 0.64cvss 9.8epss 0.01
The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- risk 0.64cvss 9.8epss 0.01
DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.
- risk 0.64cvss 9.8epss 0.01
DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands.
- risk 0.64cvss 9.8epss 0.01
Digiwin BPM’s function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify, delete database or disrupt service.
- risk 0.57cvss 8.8epss 0.01
The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API.
- risk 0.49cvss 7.5epss 0.00
EasyFlow GP developed by Digiwin has a Denial of service vulnerability, allowing unauthenticated remote attackers to send specific requests that result in denial of web service.
- risk 0.49cvss 7.5epss 0.00
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
- risk 0.49cvss 7.5epss 0.01
Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
- risk 0.47cvss 7.3epss 0.00
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The…
- risk 0.42cvss 6.5epss 0.00
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
- risk 0.42cvss 6.5epss 0.01
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server .
- risk 0.41cvss 6.3epss 0.00
A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely.…
- risk 0.35cvss 5.3epss 0.01
Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response.
- risk 0.32cvss 4.9epss 0.00
EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend.
- risk 0.32cvss 4.9epss 0.00
EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend.
- CVE-2026-12581Jun 22, 2026risk 0.00cvss —epss 0.00
EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.
- CVE-2026-12580Jun 22, 2026risk 0.00cvss —epss 0.00
EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.