CVE-2026-7698
Published: 03 May 2026
Description
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2026-7698 is an OS command injection vulnerability affecting Tiandy Easy7 Integrated Management Platform version 7.17.0. The issue resides in an unknown functionality of the /Easy7/rest/systemInfo/updateDbBackupInfo file, where manipulation of the "week" argument enables arbitrary command execution. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-05-03.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the underlying system. A public exploit is available, increasing the risk of widespread abuse.
VulDB advisories, linked in the references, document the issue but note that the vendor was contacted early without any response or patch release. No official mitigations or updates from Tiandy are mentioned.
Notable context includes the public availability of the exploit, which might already be in use by attackers targeting exposed instances of the platform.
Details
- CWE(s)