CVE-2026-5963
Published: 20 April 2026
Description
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user inputs to block malicious SQL commands from being executed in the database.
Mandates timely identification, reporting, and correction of the SQL injection flaw through patching or code remediation.
Requires regular vulnerability scanning to identify SQL injection vulnerabilities like CVE-2026-5963 and subsequent remediation.
Security SummaryAI
CVE-2026-5963 is a SQL injection vulnerability (CWE-89) affecting EasyFlow .NET, a product developed by Digiwin. Published on 2026-04-20T08:16:10.653, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. Successful exploitation allows attackers to inject arbitrary SQL commands, enabling them to read sensitive data, modify database contents, and delete records.
Mitigation details are provided in advisories from TWCERT/CC, available at https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html and https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing application enables T1190 (exploit public-facing app); allows reading sensitive data (T1213.006 databases) and modifying database contents (T1565.001 stored data manipulation).