Submit #814567: xianrendzw EasyReport Releases SQL Injectioninfo

Titlexianrendzw EasyReport Releases SQL Injection
DescriptionProject Information Project: xianrendzw/EasyReport Type: Stored SQL Injection Severity: High (CVSS 7.5) CWE: CWE-89 (SQL Injection) Vulnerability Description EasyReport contains a stored SQL injection where report parameters are stored via MyBatis and later used in SQL concatenation without parameterization. Data Flow REST API (reportParams) → MyBatis → SQL concatenation → execute() Write Path REST endpoint accepts report configuration with SQL parameters Parameters stored via MyBatis to database Read Path Stored report parameters retrieved during report generation Values concatenated into SQL strings via MyBatis ${} syntax or Java string concatenation SQL executed without parameterization
Source⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_10.md
User
 Ku4D3 (UID 97639)
Submission04/28/2026 04:50 (2 months ago)
Moderation05/25/2026 21:28 (28 days later)
StatusAccepted
VulDB entry365543 [xianrendzw EasyReport up to 2.0.17.0522_Beta REST Endpoint execute reportParams sql injection]
Points20

Want to know what is going to be exploited?

We predict KEV entries!