CVE-2026-7695
Published: 03 May 2026
Description
A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2026-7695 is a SQL injection vulnerability (CWE-74, CWE-89) in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. The issue resides in an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue, where manipulation of the fCircuitids argument triggers the injection.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation yields limited impacts on confidentiality, integrity, and availability, resulting in a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Advisories referenced in VulDB entries (vuldb.com/?submit/803275, vuldb.com/?vuln/360864, vuldb.com/?vuln/360864/cti) and a Feishu wiki (ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg) document the issue, noting that the vendor was contacted early but provided no response. No patches or specific mitigations are detailed.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)