CVE-2026-9466

MEDIUM

Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery

Title source: cna

Description

A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry vdb-entry

VDB-365447 | Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery

https://vuldb.com/vuln/365447

Signature, Permissions Required signature permissions-required

VDB-365447 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365447/cti

Third Party Advisory third-party-advisory

Submit #813990 | Tiandy Technologies Co., Ltd. Easy7 Integrated Management Platform 7.17.0 Weak Password Recovery

https://vuldb.com/submit/813990

Exploit exploit

https://ucn9h68n9289.feishu.cn/wiki/DRghw6X8piOtClkjBkHcfgvtnPx?from=from_copylink

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-640

Status published

Products (1)

Tiandy/Easy7 Integrated Management Platform 7.17.0

Published May 25, 2026

Tracked Since May 25, 2026